asc-metadata-updater
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The script communicates with Apple's official App Store Connect API (
api.appstoreconnect.apple.com). This is a well-known and trusted service used for its intended purpose of updating app metadata. - [CREDENTIALS_UNSAFE]: The skill requires sensitive credentials (ASC Key ID, Issuer ID, and a .p8 private key file). These are handled locally by the script to generate JWT tokens for authentication. The script does not transmit these credentials to any unauthorized third party.
- [DATA_EXFILTRATION]: The script transmits app metadata (descriptions, keywords, titles) to Apple's servers. This behavior is consistent with the skill's primary function and targets a trusted domain.
- [PROMPT_INJECTION]: As an indirect prompt injection surface, the skill processes external data from a
metadata.jsonfile. - Ingestion points: The
update_metadata.pyscript reads metadata from a user-provided JSON file via the--metadata-fileargument. - Boundary markers: None identified; the script treats the JSON content as data to be uploaded.
- Capability inventory: The script performs network POST/PATCH requests to the Apple API and reads local files.
- Sanitization: The script performs character limit validation (e.g., 4000 characters for descriptions) before transmission, which provides a basic layer of data validation.
- [COMMAND_EXECUTION]: The script uses standard Python libraries (
urllib,hashlib) and does not invoke arbitrary shell commands or external processes.
Audit Metadata