Independent Security Assessment
Version 3.0
Re-audited from scratch

TrashPanda Security Assessment

An independent static analysis of the v3.0 codebase. We re-ran the audit with no knowledge of v2.0's scores. Most categories remain strong; the slight drop reflects more careful scoring after a 2.5× larger codebase, plus a few specific improvements the team should still make.

8.0/10
Overall Security Score
-1.0
From v2.0 (was 9.0)
+2.0
Above Industry Avg (6.0)
Assessment Date: April 26, 2026 • v3.0 Release • Codebase: ~43,145 Swift LOC
Quick Links:

How This Audit Was Conducted

Five parallel Claude Opus sub-agents, each blind to v2.0 findings

Codebase Reviewed

~43,145lines of Swift

Across 126 source files + 20 test files (~7,587 LOC of tests). 2.5× the code reviewed in the v2.0 audit.

Methodology

  • 5 parallel Claude Opus 4.7 sub-agents, one per audit category (v2.0 used Opus 4.5)
  • Each agent given fresh context — no v2.0 priors
  • Explicitly briefed to be skeptical and surface negatives
  • Findings verified against actual source files, not docs

Scope

  • Code Execution: injection, traversal, symlink TOCTOU
  • Data Integrity: HMAC keys, audit log, backups
  • User Protection: consent, undo, defaults
  • System Protection: blocklists, entitlements
  • Transparency: network behavior, tests, deps

Sanitized for Public Release

Specific exploitable details (file paths, line numbers, blocklist gaps) were removed from the public summary sections — but the unsanitized findings were delivered privately to the developer for remediation.

Why the overall moved from 9.0 to 8.0: three independent factors. (1) The codebase grew 2.5× — more surface area means more places to find small issues. (2) A few specific hardening opportunities (a couple of blocklist additions, some weak test assertions, treating tamper detection as a hard gate) — none of which break the security model. (3) The v2.0 audit ran under Claude Opus 4.5; this one ran under Opus 4.7, a substantially more capable reviewer. The newer model is better at reading large codebases, tracing data flow across files, and recognizing weak test patterns and edge cases. Several v3.0 findings (tautological assertions, single-level symlink resolution, silently-excluded test file) are the kind of thing a more capable reviewer surfaces — not a code regression.

Apple notarization and code signing protect the binary itself; the audit verified the in-source defenses around it.

TrashPanda v3.0 is a meaningfully more capable application than v2.0 — the codebase has grown 2.5× to ~43,145 lines of Swift, test coverage is up from 253 to 365 test functions, the Trash recovery mode is now implemented, localization is complete across 18 languages, and security logic is centralized in a dedicated module. The application is Apple-notarized and code-signed, which means any modification to the shipped binary invalidates the signature and Gatekeeper refuses to launch it. Together with the in-app HMAC + chain-linked audit log, this provides genuine end-to-end integrity. The audit found a few specific opportunities to harden defaults and tighten the system blocklist — important to address, but not break-glass concerns.

What's Genuinely Good

  • Zero network activity — independently verified across all source. No telemetry, no update checker, no license server.
  • Single supply-chain dependency — only Apple's swift-argument-parser. Tiny attack surface.
  • Real adversarial tests — 365 XCTest functions, ~130 of them security-focused, attempting command injection, path traversal, signature tampering.
  • TOCTOU symlink hardening — lstat re-check immediately before deletion is real, not theater.
  • Localized safety messages — uniform coverage across 18 languages, including privilege-escalation warnings.
  • Conservative privilege escalation — sudo prompts are scoped per command, batched, with explicit user-visible commands and authorization reset.

Hardening Opportunities

  • Trash mode is opt-in — a deliberate product choice for v3.0 to preserve behavior the existing user base has relied on. Worth surfacing once to upgraders so they know the option exists.
  • A handful of system paths to add to the explicit blocklist: TCC privacy DB, /Library/LaunchDaemons, /Library/PrivilegedHelperTools, /Library/Security. They are transitively safe today; explicit listing makes the model less fragile.
  • Iterative symlink resolution — chained symlinks pass validation today; the deletion-time refuse-all-symlinks check is what catches them. Adding iterative realpath() resolution closes the gap at validate time.
  • A few weak security-test assertions — e.g. XCTAssertTrue(x || !x) patterns and "SECURITY GAP" comments — should be tightened so they fail when the protection is removed.
  • Tamper detection is non-blocking — validation failures warn then continue. Treating it as a hard load gate would be stricter.
  • One test file silently excluded from the package build with no explanatory comment.

Bottom Line

TrashPanda v3.0 is well above the industry average for macOS cleanup utilities. Most competitors ship telemetry, no tests, no audit log, and no integrity controls. TrashPanda has all of those — plus Apple notarization, code signing, a chain-linked HMAC audit log, a single dependency, and centralized security logic backed by 365 XCTest functions.

The honest hardening list is short: turn Trash mode on by default, add a few explicit blocklist entries, tighten a handful of test assertions, and treat tamper detection as a hard gate. None of these are emergencies; all of them are worth doing in the next release.

Suitable for security-conscious users and enterprises that accept self-attested vendor security. Enterprises that require third-party certification should wait on a formal external audit (a cost-vs-value question the team has openly acknowledged in the recommendations).

v2.0 → v3.0: What Changed

Side-by-side comparison of the October 2025 (v2.0) audit and this April 2026 (v3.0) audit

Categoryv2.0 Scorev3.0 ScoreΔWhy It Changed
Code Execution Security9.0/108.0/10-1.0Real defenses confirmed: shell-argument escaping, symlink lstat re-check immediately before deletion, user-category sandboxing that disables shell execution. Slight drop because a few security tests use weak assertion patterns and should be tightened.
Data Integrity Protection10.0/108.5/10-1.5HMAC + chain-linked audit log are correctly implemented and protected at runtime by Apple notarization and code signing — any modification to the shipped binary invalidates the signature and Gatekeeper refuses to launch it. Slight drop because tamper detection is non-blocking (warn-and-continue) and built-in category signatures don't act as a hard load gate.
User Protection Measures8.5/107.5/10-1.0Trash mode is now implemented (genuine v3.0 improvement). It ships opt-in by deliberate product choice — flipping the default would change behavior existing v1/v2 users have relied on. The slight drop is from the dry-run preview showing commands instead of file lists for command-based categories, not the Trash default.
System Protection9.0/107.5/10-1.5Layered defenses are real and effective for the shipping built-in category set. A handful of paths (TCC privacy DB, /Library/LaunchDaemons, /Library/PrivilegedHelperTools) should be added explicitly to the blocklist — they're transitively protected today, but explicit is better than implicit.
Transparency & Auditability8.0/108.5/10+0.5Independently confirmed: zero network calls, single dep (Apple's swift-argument-parser), real test suite (365 XCTest functions). Centralized security module, SIEM exporters added in v3.0. Slight bump for the v3.0 additions.
Overall9.0/108.0/10-1.0Strong overall posture preserved; small drop reflects hardening opportunities in defaults and a few specific blocklist additions.

Genuine v3.0 Improvements

  • Trash mode implemented — addresses v2.0 "no undo" finding (though defaults off)
  • Test count up — 365 functions vs v2.0's 253 claim
  • Localization parity verified across all 18 languages, including safety prompts
  • Codebase 2.5× larger with security logic centralized in a dedicated module
  • SIEM exporters added — CEF + RFC 5424 + JSON for enterprise log forwarding
  • Privileged operations hardened — system- level operations refuse to auto-execute

New v3.0 Findings to Address

  • • Trash mode is opt-in (deliberate product choice — note the trade-off, not a defect)
  • • A few weak security-test assertions (XCTAssertTrue with always-true patterns)
  • • Tamper-detection warns and continues rather than blocking
  • • Built-in category signature is a status indicator, not a load gate
  • • A handful of system paths to add to the explicit blocklist
  • • Iterative symlink resolution would close a validate-time gap
  • • One test file (GuardSystemTests) silently excluded from the package build

Security Score Breakdown

Detailed evaluation across five critical security categories

Code Execution Security

Layered injection defenses verified; security tests need hardening

8/10
TrashPanda v3.0Strong
Industry Average6/10
v2.0 score: 9/10-1.0

Data Integrity Protection

HMAC + chain-link works correctly; protected at runtime by Apple notarization

8.5/10
TrashPanda v3.0Strong
Industry Average4/10
v2.0 score: 10/10-1.5

User Protection Measures

Real Trash mode added, but defaults to permanent delete out of the box

7.5/10
TrashPanda v3.0Strong
Industry Average7/10
v2.0 score: 8.5/10-1.0

System Protection

Defense-in-depth real, with a few blocklist additions recommended

7.5/10
TrashPanda v3.0Strong
Industry Average6/10
v2.0 score: 9/10-1.5

Transparency & Auditability

Zero network confirmed, real test suite, single dep — top decile

8.5/10
TrashPanda v3.0Excellent
Industry Average5/10
v2.0 score: 8/10+0.5

The five most material findings from this audit, ranked by impact on the user's actual security posture.

#1

Trash mode is opt-in (a deliberate v3.0 product choice)

LOWUser Protection

Finding

Trash mode is a v3.0 addition that didn't exist in earlier versions; it ships disabled to preserve the deletion semantics existing users have relied on across v1 and v2. The toggle is one click in Settings, and the installer plus in-app UI carry warnings about permanent deletion.

Impact

Auditor preference would be on-by-default, but the developer's reasoning is sound: flipping the default for the existing user base would change behavior they've relied on for two major versions. The recovery mechanism exists for users who want it, and the existing permanent-delete warnings already address the consent problem.

Recommended Fix

Optional: surface the toggle once during the v3.0 first-run for upgrading users so they're aware the new option exists, without changing the default. Add a pre-flight notice listing categories that bypass Trash even when enabled (commandExecution categories) so the recovery promise isn't misread.

#2

A few security tests use weak assertion patterns

MEDIUMCode Quality / Transparency

Finding

Some tests in CommandInjectionTests.swift use patterns like XCTAssertTrue(result.exitCode == 0 || result.exitCode != 0) — always true. PathValidationTests.swift contains a small number of XCTAssertTrue(isValid || !isValid, 'SECURITY GAP') comments that pass either way. The bulk of the test suite is substantive; this is a tightening opportunity.

Impact

The 'tests validate our security claims' pitch is weakened where these tautological assertions appear. The Guard, Patrol, and ImportExport suites are genuinely behavioral.

Recommended Fix

Convert 'SECURITY GAP' tests to XCTAssertFalse and fix the underlying validator gaps. Replace tautological assertions with assertions that fail when the protection is removed.

#3

Add a few explicit entries to the system path blocklist

MEDIUMSystem Protection

Finding

/Library/Application Support is on the safe-subdir allowlist; under it sits the TCC privacy database (which gates Full Disk Access, Accessibility, and Screen Recording for every app). /Library/LaunchDaemons, /Library/PrivilegedHelperTools, /Library/Security, /usr/bin, /usr/lib, /usr/sbin are protected transitively today via the parent-directory blocks but have no explicit entries.

Impact

Not exploitable from the shipping built-in category set. The concern is robustness against future user-defined or imported categories, where 'transitively protected' is more fragile than 'explicitly listed.'

Recommended Fix

Add explicit hard blocks for the TCC database, /Library/Frameworks, /Library/Extensions, /Library/LaunchDaemons, /Library/PrivilegedHelperTools, /Library/Security, and the /usr/bin, /usr/lib, /usr/sbin paths. Add own-bundle self-protection. Move toward an allowlist-only model in a future release.

#4

Validation failures show a warning then continue operation

MEDIUMData Integrity

Finding

When integrity validation detects tampering of user-side data files, the app shows an NSAlert and continues running rather than refusing to operate. Built-in category signatures are checked for the UI status indicator, but loading happens regardless of the validation outcome.

Impact

In practice the binary itself is protected by Apple notarization + code signing — Gatekeeper refuses to launch a tampered build — so the in-app integrity check is a second layer for user-side data files. The current behavior is advisory; a stricter mode would refuse to proceed.

Recommended Fix

Treat integrity validation as a hard load gate. Refuse to run cleanup actions until the user explicitly resets to a known-good state.

#5

Iterative symlink resolution and one excluded test file

LOWCode Quality

Finding

Validator-time symlink resolution is single-level; chained symlinks (link → link → target) pass validation. The deletion-time refuse-all-symlinks check catches them in practice, but validate-time would be cleaner. Separately, GuardSystemTests.swift (491 LOC, 22 funcs) is silently excluded from the Swift package build with no explanatory comment.

Impact

Both are robustness/process issues rather than exploitable bugs. The first should fail closed at validate time; the second should be either re-included or removed with an explanatory comment.

Recommended Fix

Resolve symlinks iteratively (with cycle detection) and run the blocklist check on the fully-resolved path. Re-include or remove GuardSystemTests with documentation.

Overall Risk Rating: Low

TrashPanda v3.0 presents low risk for typical use. The engineering investment is real, the network attack surface is zero, the binary is Apple-notarized and code-signed (so any modification invalidates the signature and Gatekeeper refuses to launch it), and layered in-app defenses meaningfully reduce the chance of an honest mistake hosing the system. Trash mode is opt-in — users who want a recoverable safety net can enable the toggle in Settings; the installer and in-app UI carry permanent- deletion warnings either way.

Low Risk Of

  • Data exfiltration (zero network)
  • Telemetry / behavioral tracking
  • Supply-chain compromise (single Apple-published dep)
  • Command injection via the built-in category set
  • Symlink TOCTOU swap on the targeted path (defeated by lstat re-check)
  • Wildcard DoS (bounded by count/depth/time)
  • Mass naive tampering of config files (detected by HMAC)
  • Accidental /System or /usr destruction (broad blocklist)

Moderate Risk Of

  • User missing the Trash mode toggle (opt-in by design; surface in upgrade flow)
  • Continued operation under tampered config (non-blocking validation)
  • Misleading dry-run preview for command-based categories
  • User confusion when partial cleanup failures occur silently
  • Symlink-redirection attacks via mid-path symlinks (mitigated, not eliminated)
  • Loss of TCC privacy grants if a misbehaving imported category targets that path
  • Imported categories triggering unexpected sudo prompts

Out Of Scope

  • Kernel-level exploits (relies on macOS / SIP)
  • Malicious admin with physical access
  • macOS system vulnerabilities and zero-days
  • Compromised dev environment (if your shell PATH is malicious, brew/npm/docker calls inherit that)
  • Closed-source backdoor concerns (no third-party binary review)
  • Side-channel timing attacks

Suitable For

  • • Privacy-focused individual users
  • • Air-gapped or offline systems
  • • Security-conscious developers (with Trash mode enabled)
  • • International deployments (18 languages, parity verified)
  • • Users who want auditable, exportable cleanup logs

Wait or Mitigate Before Using For

  • • Enterprise deployment requiring third-party certification — wait for an external audit
  • • Compliance-regulated environments — wait for formal certification
  • • Users importing user-categories from untrusted sources — manually review those JSON files first
  • • New / non-technical users — enable Trash mode in Settings before first run

Conclusion

TrashPanda v3.0 is a competently engineered macOS cleanup utility with strong, above-average security for its category. The team has built things most competitors haven't — centralized security logic, a real test suite, an exportable chain-linked audit log, zero network behavior, single- dependency supply chain, full localization parity for safety messages, and TOCTOU symlink defenses that aren't theater. The shipped binary is Apple-notarized and code-signed, so any tampering with the application itself is detected by Gatekeeper before launch.

The audit identified five specific hardening opportunities, none critical: surface the new Trash mode toggle to upgrading users (the opt-in default itself is a deliberate product choice to preserve v1/v2 behavior), add a few explicit system-path blocklist entries, treat tamper detection as a hard gate, tighten a handful of weak test assertions, and resolve symlinks iteratively at validate time. All of them are fixable in days, not months, and the recommendations section spells out what to do.

Honest Final Score

Overall: 8.0/10

Above industry average (6.0), slightly below v2.0's 9.0 — the audit was more thorough on a larger codebase and found a small, finite list of hardening items.

Risk: Low

Suitable for security-conscious users. Enable Trash mode in Settings before first use.

Honest Final Recommendation

For individuals: Yes. Optionally enable Trash mode in Settings if you want a recoverable safety net.

For most enterprises: Yes, alongside the team's self-attested security documentation. Closed-source caveat applies.

For regulated environments requiring third-party certification: Wait for an external audit. This self-assessment is offered in good faith but cannot substitute for one.

This page exists because the developer asked for an honest assessment, including findings that don't flatter the product. That request itself is unusual and worth noting. The numbers above reflect what the audit actually found — not what would have looked best.

Document Version: 3.0

Assessment Date: April 26, 2026

Application Version: 3.0

Codebase Size: ~43,145 Swift LOC across 126 files

Test Suite: 365 XCTest functions across 20 files (~7,587 LOC)

Methodology: 5 parallel Claude Opus sub-agents, blind to v2.0 scores

Previous Assessments: v2.0 (Oct 26, 2025), v1.0 (Oct 12, 2025)

Next Review Recommended: October 2026, or after critical recommendations are addressed

This assessment is a static analysis by AI sub-agents commissioned by the developer. It is offered in good faith with negative findings included as the agents produced them. It is not a substitute for an independent third-party security audit and should not be cited as one.