asc-auth
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to execute various subcommands of the
ascCLI tool, such asasc auth login,asc auth use, andasc auth logout, to manage user sessions and account configurations. - [CREDENTIALS_UNSAFE]: The skill manages highly sensitive Apple App Store Connect API credentials, specifically Key IDs, Issuer IDs, and Private Keys (PEM format). It provides functionality to pass raw private key content as a command-line argument (
--private-key) and saves these secrets to a local JSON file at~/.asc/credentials.json. - [DATA_EXPOSURE]: The skill interacts with sensitive file paths, including the central credentials file and individual
.p8private key files (e.g.,~/.asc/AuthKey_KEYID.p8). While intended for local management, the presence of private keys in the command-line history or agent logs poses a potential exposure risk.
Audit Metadata