appstore-connect
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill processes data from external App Store Connect API outputs, creating a surface for indirect prompt injection.
- Ingestion points: External data from tools like testflight_list_testers and testflight_list_builds (SKILL.md).
- Boundary markers: None identified.
- Capability inventory: Significant state-changing capabilities including testflight_add_tester, testflight_create_group, and testflight_submit_for_review (SKILL.md).
- Sanitization: No evidence of data sanitization or validation for API responses.
- [CREDENTIALS_UNSAFE]: The skill requires access to a private key file (.p8) via the APPSTORE_KEY_PATH environment variable for authentication. This requirement for a private key file represents a sensitive credential handling surface.
Audit Metadata