← Back to Skills Marketplace
dimillian

Macos Spm App Packaging

by Dimillian · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
2242
Downloads
2
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install macos-spm-app-packaging
Description
Scaffold, build, and package SwiftPM-based macOS apps without an Xcode project. Use when you need a from-scratch macOS app layout, SwiftPM targets/resources, a custom .app bundle assembly script, or signing/notarization/appcast steps outside Xcode.
README (SKILL.md)

macOS SwiftPM App Packaging (No Xcode)

Overview

Bootstrap a complete SwiftPM macOS app folder, then build, package, and run it without Xcode. Use assets/templates/bootstrap/ for the starter layout and references/packaging.md + references/release.md for packaging and release details.

Two-Step Workflow

  1. Bootstrap the project folder

    • Copy assets/templates/bootstrap/ into a new repo.
    • Rename MyApp in Package.swift, Sources/MyApp/, and version.env.
    • Customize APP_NAME, BUNDLE_ID, and versions.

  2. Build, package, and run the bootstrapped app

    • Copy scripts from assets/templates/ into your repo (for example, Scripts/).
    • Build/tests: swift build and swift test.
    • Package: Scripts/package_app.sh.
    • Run: Scripts/compile_and_run.sh (preferred) or Scripts/launch.sh.
    • Release (optional): Scripts/sign-and-notarize.sh and Scripts/make_appcast.sh.
    • Tag + GitHub release (optional): create a git tag, upload the zip/appcast to the GitHub release, and publish.

Templates

  • assets/templates/package_app.sh: Build binaries, create the .app bundle, copy resources, sign.
  • assets/templates/compile_and_run.sh: Dev loop to kill running app, package, launch.
  • assets/templates/build_icon.sh: Generate .icns from an Icon Composer file (requires Xcode install).
  • assets/templates/sign-and-notarize.sh: Notarize, staple, and zip a release build.
  • assets/templates/make_appcast.sh: Generate Sparkle appcast entries for updates.
  • assets/templates/setup_dev_signing.sh: Create a stable dev code-signing identity.
  • assets/templates/launch.sh: Simple launcher for a packaged .app.
  • assets/templates/version.env: Example version file consumed by packaging scripts.
  • assets/templates/bootstrap/: Minimal SwiftPM macOS app skeleton (Package.swift, Sources/, version.env).

Notes

  • Keep entitlements and signing configuration explicit; edit the template scripts instead of reimplementing.
  • Remove Sparkle steps if you do not use Sparkle for updates.
  • Sparkle relies on the bundle build number (CFBundleVersion), so BUILD_NUMBER in version.env must increase for each update.
  • For menu bar apps, set MENU_BAR_APP=1 when packaging to emit LSUIElement in Info.plist.
Usage Guidance
This skill appears to provide legitimate macOS SwiftPM packaging workflows, but several scripts perform sensitive actions. Before using/installing: 1) Review the scripts line-by-line (especially setup_dev_signing.sh and sign-and-notarize.sh). 2) Do not paste private keys or App Store Connect key material into an agent or into environment variables unless you trust the source; the scripts write keys to /tmp and call notarization APIs. 3) Be aware setup_dev_signing.sh will create and import a certificate into your login keychain—only run it if you understand and accept that change, and prefer to create/import certs manually in Keychain Access. 4) Run these scripts in an isolated/test environment (or VM) first. 5) Prefer obtaining this tooling from a repository with a known maintainer, commit history, and checksums; lack of a homepage/source URL is an additional risk. If you provide the App Store Connect/P8 key or Sparkle private key, ensure you rotate or audit use afterward. Additional information that would increase confidence: a public source repo, maintainer identity, release signatures/checksums, and an explicit manifest of which env vars are required vs optional.
Capability Analysis
Type: OpenClaw Skill Name: macos-spm-app-packaging Version: 1.0.0 The skill bundle is classified as suspicious due to its handling of sensitive credentials and execution of high-privilege security operations. Specifically, `assets/templates/setup_dev_signing.sh` directly modifies the user's keychain to install a code-signing identity, and `assets/templates/sign-and-notarize.sh` processes highly sensitive App Store Connect API keys for app notarization, temporarily writing the private key to disk. Additionally, `assets/templates/package_app.sh` and `assets/templates/make_appcast.sh` perform code signing and appcast signing, respectively, using provided identities or private keys, which are inherently high-risk operations, even if for their stated purpose of macOS app packaging.
Capability Assessment
Purpose & Capability
The name/description (SwiftPM macOS packaging, signing, notarization, appcast) aligns with the included templates and docs. The templates implement expected functionality: building, packaging, codesigning, notarization, and Sparkle appcast generation. Minor mismatch: registry metadata lists no required env vars, but the scripts and reference docs document several optional but sensitive environment variables used for notarization and Sparkle (APP_STORE_CONNECT_*, SPARKLE_PRIVATE_KEY_FILE, APP_IDENTITY).
Instruction Scope
SKILL.md and templates instruct running build/package/sign/notarize flows and include scripts that: call git, swift build/test, lipo, codesign, xcrun notarytool, spctl, security import, openssl and write temporary files in /tmp. The scripts will write an App Store Connect key file from an env var, import a generated PKCS#12 into the user's login keychain, and remove temp files—these are beyond simple file scaffolding and modify system state. The SKILL.md does not instruct arbitrary data exfiltration, but the scripts reference environment variables and system commands that are sensitive and can affect the user's keychain and signing identities.
Install Mechanism
No install spec (instruction-only with included template files). No network downloads or remote installers are embedded in the skill. All code is present in the template files so nothing external is fetched by the skill itself.
Credentials
The skill metadata declares no required environment variables, yet several templates and the release docs rely on sensitive env vars at runtime: APP_STORE_CONNECT_API_KEY_P8, APP_STORE_CONNECT_KEY_ID, APP_STORE_CONNECT_ISSUER_ID (notarization), SPARKLE_PRIVATE_KEY_FILE / SPARKLE_DOWNLOAD_URL_PREFIX / SPARKLE_RELEASE_VERSION (appcast), APP_IDENTITY, and optional APP_ENTITLEMENTS. These credentials are reasonable for notarization/appcast flows but are sensitive; scripts write API key contents to /tmp and import certificates into the login keychain—actions that should be made explicit to users and not assumed safe.
Persistence & Privilege
The skill does not request 'always' or persistent inclusion, but some templates (setup_dev_signing.sh) create certificates and import them into the user's login keychain (security import). That modifies system state and can create persistent signing identities. sign-and-notarize.sh uses the App Store Connect key written into /tmp for notarytool operations. These behaviors require the user's explicit consent and careful review because they affect system-level trust and signing configuration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install macos-spm-app-packaging
  3. After installation, invoke the skill by name or use /macos-spm-app-packaging
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Inital release
Metadata
Slug macos-spm-app-packaging
Version 1.0.0
License
All-time Installs 4
Active Installs 4
Total Versions 1
Frequently Asked Questions

What is Macos Spm App Packaging?

Scaffold, build, and package SwiftPM-based macOS apps without an Xcode project. Use when you need a from-scratch macOS app layout, SwiftPM targets/resources, a custom .app bundle assembly script, or signing/notarization/appcast steps outside Xcode. It is an AI Agent Skill for Claude Code / OpenClaw, with 2242 downloads so far.

How do I install Macos Spm App Packaging?

Run "/install macos-spm-app-packaging" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Macos Spm App Packaging free?

Yes, Macos Spm App Packaging is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Macos Spm App Packaging support?

Macos Spm App Packaging is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Macos Spm App Packaging?

It is built and maintained by Dimillian (@dimillian); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments