asc-check-readiness
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The provided CI Gate Script contains a pattern that dynamically executes shell commands based on the output of an external tool.
- Evidence: The script in
SKILL.mduseseval "$(echo "$RESULT" | jq -r '.data[0].affordances.submit')"to execute a command string fetched from theascCLI tool. - Risk: This pattern is vulnerable to indirect injection. If the
asctool's data source (e.g., the App Store Connect API) or the tool itself returns a malicious payload in theaffordances.submitfield, the script will execute it without validation. - [COMMAND_EXECUTION]: The skill ingests untrusted data from an external API (via the
asctool) and uses it to drive subsequent actions. - Ingestion points: Output of
asc versions check-readiness(processed inSKILL.md). - Boundary markers: None present; the script directly pipes tool output into an execution context.
- Capability inventory: Shell command execution via
eval. - Sanitization: No sanitization or validation is performed on the
affordances.submitstring before execution.
Audit Metadata