Skills
NYC
skills/rudrankriyam/app-store-connect-cli-skills/asc-notarization/Gen Agent Trust Hub

asc-notarization

Warn

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • COMMAND_EXECUTION (MEDIUM): The skill accesses the user's login keychain (~/Library/Keychains/login.keychain-db) to find and export certificates. This is a highly sensitive file path containing cryptographic materials.
  • COMMAND_EXECUTION (MEDIUM): It uses the security remove-trusted-cert command to modify system or user trust settings, which can impact the overall security posture of the machine.
  • CREDENTIALS_UNSAFE (MEDIUM): The skill exports a Developer ID certificate to /tmp/devid-cert.pem. Files in /tmp are often world-readable, creating a risk of credential exposure to other users or processes on the system.
  • COMMAND_EXECUTION (MEDIUM): Relies on a third-party CLI tool asc for App Store Connect interactions. Unlike the official xcrun notarytool, the source and integrity of this tool are not verified within the skill.
  • EXTERNAL_DOWNLOADS (LOW): Uses curl -sL to fetch notarization logs from a runtime-provided LOG_URL. While the output is piped to a JSON formatter, fetching data from arbitrary URLs presents a minor network risk.
  • COMMAND_EXECUTION (LOW): Uses hdiutil, productsign, and codesign to perform archive and distribution tasks. These are standard Apple utilities but involve significant system interactions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 15, 2026, 08:50 PM