Jamf Script Safety Reviewer

Review Jamf and Kandji scripts for safer user context, prompts, logging, and rollout readiness.

Install
cmdop skills install agensi-jamf-script-safety-reviewer

Jamf Script Safety Reviewer is a skill that performs defensive pre-deployment review of scripts used with Jamf Pro, Self Service, Kandji, and Iru. It is designed for Mac admins who want to catch safety and hygiene issues before scripts run in production across managed devices.

The skill examines console-user detection logic and root-versus-user assumptions, which are common sources of unintended privilege escalation or broken behavior. It inspects prompt patterns that could expose sensitive input through logs, files, or process listings, and reviews how Jamf API tokens are handled in redacted examples. Shell robustness issues — including quoting mistakes, unsafe PATH assumptions, temp file handling, cleanup gaps, and rollback readiness — are also checked. For teams migrating workflows, it provides Kandji and Iru adaptation notes.

After review, the skill returns a verdict of ready, caution, or hold, accompanied by specific findings, safer replacement patterns, suggested test steps, and rollout notes for staged deployment planning. This structured output lets admins act on findings without interpreting raw analysis.

The skill operates on redacted or synthetic script examples only. It does not collect, validate, store, transmit, or request live passwords, tokens, recovery keys, or private tenant values. It is not a script executor and does not connect to any Jamf or Kandji tenant.

Use cases

  • Review a Jamf Pro policy script for logging hygiene before deploying to a fleet
  • Check a Self Service script for prompt patterns that could leak credentials into process listings
  • Audit a Kandji script migrated from a Jamf workflow for adaptation issues
  • Identify unsafe temp file handling and missing cleanup steps in a shell script
  • Validate root-versus-user context assumptions before a staged rollout
  • Get a ready, caution, or hold verdict with specific findings for a deployment sign-off process

When to use it

  • Before promoting a new or modified script to a production Jamf or Kandji environment
  • When reviewing scripts that handle user prompts or API tokens
  • During a migration from Jamf Pro to Kandji or Iru to catch workflow adaptation gaps
  • When a fleet admin wants structured findings and safer replacement patterns without manual code review

When not to use it

  • When live script execution or direct MDM tenant interaction is needed
  • When reviewing scripts for non-Mac platforms outside Jamf, Kandji, or Iru
  • When validation requires passing real passwords, tokens, or recovery keys — the skill does not accept live credentials
  • When the goal is automated remediation rather than advisory findings