Swift Security

Name: Swift Security
Author: dpearson2699

dpearson2699/swift-ios-skills

Review iOS auth token storage, Keychain usage, and secret-handling patterns before App Store release.

Overview

swift-security is an agent skill for the Ship phase that reviews iOS secret storage and Keychain patterns with severity-rated findings before release.

Install

npx skills add https://github.com/dpearson2699/swift-ios-skills --skill swift-security

What is this skill?

Structured security review for OAuth/access and refresh token storage
Flags UserDefaults plaintext secrets and ignored SecItem OSStatus
Requires explicit kSecAttrAccessible or SecAccessControl on Keychain items
Recommends add-or-update Keychain flow instead of delete-then-add
Eval-driven expectations for severity assignment and remediated patterns
Includes eval scenarios such as keychain-token-review with explicit assertion categories for OSStatus and accessibility

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 717 installs on skills.sh; 713 GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are about to ship an iOS app and are unsure whether tokens and secrets are stored safely in Keychain versus plaintext stores.

Who is it for?

Indie iOS developers validating auth helpers, Keychain wrappers, and credential persistence under agent-assisted code review.

Skip if: Backend-only API security, Android Keystore work, or teams without Swift/iOS source to inspect.

When should I use this skill?

Reviewing iOS token storage, Keychain helpers, or secret-handling code before shipping.

What do I get? / Deliverables

You get a prioritized security review with concrete Keychain fixes—OSStatus handling, accessibility policy, and add-or-update updates.

Severity-rated security findings
Recommended Keychain add-or-update implementation
Remediation checklist aligned to Apple APIs

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Secret storage and Keychain mistakes are ship-blockers caught in pre-release security review, not ideation. The skill centers on app security findings—Keychain OSStatus, accessibility classes, and plaintext token anti-patterns.

Also useful

OperateIteration & experiments

How it compares

Use as an iOS appsec review skill, not a generic dependency vulnerability scanner or MCP secrets broker.

Common Questions / FAQ

Who is swift-security for?

Solo builders shipping Swift/iOS apps who need Keychain and token-storage review from coding agents before release.

When should I use swift-security?

During Ship when auditing login flows, refresh-token persistence, SecItem error handling, or pre-release security checks on mobile code.

Is swift-security safe to install?

Check Prism’s Security Audits panel and the upstream skill repo; do not grant broader permissions than your review workflow requires.

SKILL.md

READMESKILL.md - Swift Security

{
  "skill_name": "swift-security",
  "evals": [
    {
      "id": 0,
      "name": "keychain-token-review",
      "prompt": "Review this iOS token storage helper before we ship it. It saves an OAuth refresh token with `UserDefaults.standard.set(refreshToken, forKey: \"refresh\")`, writes access tokens with `SecItemAdd(query as CFDictionary, nil)` but ignores the returned OSStatus, omits `kSecAttrAccessible`, and calls `SecItemDelete` before every save to avoid duplicates. What is wrong, what severity would you assign, and what should the corrected Keychain pattern require?",
      "expected_output": "A security review that flags plaintext token storage, ignored OSStatus, missing accessibility, and delete-then-add as findings; assigns severity; and requires Keychain add-or-update with explicit accessibility and recoverable error handling.",
      "files": [],
      "assertions": [
        "Flags the refresh token in UserDefaults as a critical or high-severity insecure secret storage finding.",
        "Requires checking OSStatus for SecItem calls and specifically handling errSecDuplicateItem, errSecItemNotFound, and errSecInteractionNotAllowed where relevant.",
        "Requires an explicit kSecAttrAccessible or SecAccessControl policy for added items.",
        "Rejects delete-then-add as the normal update strategy and recommends add-or-update with SecItemUpdate on errSecDuplicateItem.",
        "Cites or names the relevant swift-security reference files for Keychain fundamentals, credential storage, access control, or common anti-patterns."
      ]
    },
    {
      "id": 1,
      "name": "biometric-secret-boundary",
      "prompt": "A banking app wants Face ID before showing an account number. The current plan is to call `LAContext.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: ...)`, check the returned Bool, then read the account number from UserDefaults. They also forgot `NSFaceIDUsageDescription`. Write the correction plan and include the important iOS API constraints.",
      "expected_output": "A correction plan that rejects the standalone LAContext Bool gate, moves the secret into a Keychain item protected by SecAccessControl, mentions Face ID usage description, handles enrollment changes, and states availability constraints for the biometric APIs.",
      "files": [],
      "assertions": [
        "States that LAContext.evaluatePolicy alone must not release or protect the stored secret.",
        "Requires storing the account number or token in Keychain behind SecAccessControl with an appropriate flag such as .biometryCurrentSet or .userPresence.",
        "Mentions NSFaceIDUsageDescription as required for Face ID use.",
        "Explains the enrollment-change effect of .biometryCurrentSet or evaluatedPolicyDomainState and the need for recovery/re-enrollment handling.",
        "Cites or names biometric-authentication and keychain-access-control references."
      ]
    },
    {
      "id": 2,
      "name": "security-sibling-boundary",
      "prompt": "A team asks for one security checklist covering Sign in with Apple, passkey server verification, App Attest assertions, URLSession quantum-secure TLS, custom end-to-end document encryption on iOS 26, Keychain refresh-token storage, Secure Enclave keys, and App Store privacy manifests. Give a concise scope review for what swift-security should answer directly and what should be handed to sibling skills.",
      "expected_output": "A boundary-aware scope review that keeps Keychain, CryptoKit, Secure Enclave, credential storage, and certificate trust in swift-security; routes auth UI/server passkeys, App Attest, URLSession/TLS transport, and App Store privacy manifests to sibling skills; and names iOS 26 CryptoKit availability for custom quantum-secure workflows.",
      "files": [],
      "assertions": [
        "Keeps Keychain refresh-token storage, Secure Enclave key policy, certificate trust, and client-side CryptoKit guidance in swift-secu

What is this skill?

Structured security review for OAuth/access and refresh token storage

Flags UserDefaults plaintext secrets and ignored SecItem OSStatus

Requires explicit kSecAttrAccessible or SecAccessControl on Keychain items

Recommends add-or-update Keychain flow instead of delete-then-add

Eval-driven expectations for severity assignment and remediated patterns

Includes eval scenarios such as keychain-token-review with explicit assertion categories for OSStatus and accessibility

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 717 installs on skills.sh; 713 GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

Also useful

OperateIteration & experiments

SKILL.md

READMESKILL.md - Swift Security

{
  "skill_name": "swift-security",
  "evals": [
    {
      "id": 0,
      "name": "keychain-token-review",
      "prompt": "Review this iOS token storage helper before we ship it. It saves an OAuth refresh token with `UserDefaults.standard.set(refreshToken, forKey: \"refresh\")`, writes access tokens with `SecItemAdd(query as CFDictionary, nil)` but ignores the returned OSStatus, omits `kSecAttrAccessible`, and calls `SecItemDelete` before every save to avoid duplicates. What is wrong, what severity would you assign, and what should the corrected Keychain pattern require?",
      "expected_output": "A security review that flags plaintext token storage, ignored OSStatus, missing accessibility, and delete-then-add as findings; assigns severity; and requires Keychain add-or-update with explicit accessibility and recoverable error handling.",
      "files": [],
      "assertions": [
        "Flags the refresh token in UserDefaults as a critical or high-severity insecure secret storage finding.",
        "Requires checking OSStatus for SecItem calls and specifically handling errSecDuplicateItem, errSecItemNotFound, and errSecInteractionNotAllowed where relevant.",
        "Requires an explicit kSecAttrAccessible or SecAccessControl policy for added items.",
        "Rejects delete-then-add as the normal update strategy and recommends add-or-update with SecItemUpdate on errSecDuplicateItem.",
        "Cites or names the relevant swift-security reference files for Keychain fundamentals, credential storage, access control, or common anti-patterns."
      ]
    },
    {
      "id": 1,
      "name": "biometric-secret-boundary",
      "prompt": "A banking app wants Face ID before showing an account number. The current plan is to call `LAContext.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: ...)`, check the returned Bool, then read the account number from UserDefaults. They also forgot `NSFaceIDUsageDescription`. Write the correction plan and include the important iOS API constraints.",
      "expected_output": "A correction plan that rejects the standalone LAContext Bool gate, moves the secret into a Keychain item protected by SecAccessControl, mentions Face ID usage description, handles enrollment changes, and states availability constraints for the biometric APIs.",
      "files": [],
      "assertions": [
        "States that LAContext.evaluatePolicy alone must not release or protect the stored secret.",
        "Requires storing the account number or token in Keychain behind SecAccessControl with an appropriate flag such as .biometryCurrentSet or .userPresence.",
        "Mentions NSFaceIDUsageDescription as required for Face ID use.",
        "Explains the enrollment-change effect of .biometryCurrentSet or evaluatedPolicyDomainState and the need for recovery/re-enrollment handling.",
        "Cites or names biometric-authentication and keychain-access-control references."
      ]
    },
    {
      "id": 2,
      "name": "security-sibling-boundary",
      "prompt": "A team asks for one security checklist covering Sign in with Apple, passkey server verification, App Attest assertions, URLSession quantum-secure TLS, custom end-to-end document encryption on iOS 26, Keychain refresh-token storage, Secure Enclave keys, and App Store privacy manifests. Give a concise scope review for what swift-security should answer directly and what should be handed to sibling skills.",
      "expected_output": "A boundary-aware scope review that keeps Keychain, CryptoKit, Secure Enclave, credential storage, and certificate trust in swift-security; routes auth UI/server passkeys, App Attest, URLSession/TLS transport, and App Store privacy manifests to sibling skills; and names iOS 26 CryptoKit availability for custom quantum-secure workflows.",
      "files": [],
      "assertions": [
        "Keeps Keychain refresh-token storage, Secure Enclave key policy, certificate trust, and client-side CryptoKit guidance in swift-secu

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is swift-security for?

When should I use swift-security?

Is swift-security safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is swift-security for?

When should I use swift-security?

Is swift-security safe to install?

SKILL.md