Macos Spm App Packaging

The name/description (SwiftPM macOS packaging, signing, notarization, appcast) aligns with the included templates and docs. The templates implement expected functionality: building, packaging, codesigning, notarization, and Sparkle appcast generation. Minor mismatch: registry metadata lists no required env vars, but the scripts and reference docs document several optional but sensitive environment variables used for notarization and Sparkle (APP_STORE_CONNECT_*, SPARKLE_PRIVATE_KEY_FILE, APP_IDENTITY).

SKILL.md and templates instruct running build/package/sign/notarize flows and include scripts that: call git, swift build/test, lipo, codesign, xcrun notarytool, spctl, security import, openssl and write temporary files in /tmp. The scripts will write an App Store Connect key file from an env var, import a generated PKCS#12 into the user's login keychain, and remove temp files—these are beyond simple file scaffolding and modify system state. The SKILL.md does not instruct arbitrary data exfiltration, but the scripts reference environment variables and system commands that are sensitive and can affect the user's keychain and signing identities.

No install spec (instruction-only with included template files). No network downloads or remote installers are embedded in the skill. All code is present in the template files so nothing external is fetched by the skill itself.

The skill metadata declares no required environment variables, yet several templates and the release docs rely on sensitive env vars at runtime: APP_STORE_CONNECT_API_KEY_P8, APP_STORE_CONNECT_KEY_ID, APP_STORE_CONNECT_ISSUER_ID (notarization), SPARKLE_PRIVATE_KEY_FILE / SPARKLE_DOWNLOAD_URL_PREFIX / SPARKLE_RELEASE_VERSION (appcast), APP_IDENTITY, and optional APP_ENTITLEMENTS. These credentials are reasonable for notarization/appcast flows but are sensitive; scripts write API key contents to /tmp and import certificates into the login keychain—actions that should be made explicit to users and not assumed safe.

The skill does not request 'always' or persistent inclusion, but some templates (setup_dev_signing.sh) create certificates and import them into the user's login keychain (security import). That modifies system state and can create persistent signing identities. sign-and-notarize.sh uses the App Store Connect key written into /tmp for notarytool operations. These behaviors require the user's explicit consent and careful review because they affect system-level trust and signing configuration.