asc-builds-upload
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security threats were detected. The skill uses standard command-line interfaces to interact with App Store Connect APIs for build management and distribution.
- [DATA_EXPOSURE]: The skill reads from a local configuration file
.asc/project.jsonto resolve application identifiers. This is a standard practice for project-specific tooling and does not involve accessing sensitive system credentials or exfiltrating data to untrusted domains. - [COMMAND_EXECUTION]: The skill describes the execution of the
ascCLI tool and thejqutility. These are used for their intended purposes of interacting with an API and parsing JSON output respectively. No arbitrary command execution or shell injection patterns were found. - [INDIRECT_PROMPT_INJECTION]: The skill allows for user-provided 'What's New' notes to be sent to App Store Connect. While this involves ingesting untrusted text, it is a primary function of the build distribution process and does not grant the input any influence over the agent's internal logic or control flow.
Audit Metadata