apple-search-ads
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [SAFE]: The skill code was thoroughly reviewed and no malicious patterns, obfuscation, or persistence mechanisms were detected.
- [EXTERNAL_DOWNLOADS]: The skill interacts with official Apple domains (appleid.apple.com and api.searchads.apple.com) to perform its core functions of authentication and campaign management.
- [CREDENTIALS_UNSAFE]: The tool manages sensitive API credentials and private EC keys, but it correctly implements security safeguards by storing them in a hidden local directory (~/.asa-cli) and applying restrictive 0600 file permissions.
- [PROMPT_INJECTION]: A potential surface for indirect prompt injection exists where the tool processes search term data from API reports. Evidence: Ingestion point in
asa_cli/commands/optimize.py(search term report fetching); Boundary markers are absent in the display of this data; Capability inventory includes ad and keyword modification functions inasa_cli/api.py; Sanitization is performed by lowercasing keyword text. The risk is assessed as safe due to the analytical nature of the data usage.
Audit Metadata