asc-iris
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill describes how the 'asc' CLI tool extracts sensitive browser cookies (including 'myacinfo' and 'itctx') from Chrome, Safari, and Firefox. This extraction is used to authenticate with Apple's internal 'iris' API. While these are sensitive credentials, the process is transparently documented as the primary authentication method for the developer tool's intended use-case.
- [COMMAND_EXECUTION]: The skill provides instructions for executing various 'asc' CLI commands to manage apps. It identifies a design pattern ('affordances') where the tool's JSON output suggests ready-to-run commands for the agent to follow, which constitutes a dynamic command execution surface.
- [SAFE]: The identified operations are consistent with the tool's stated purpose of providing a CLI interface for App Store Connect features not available in the public API (like app creation). No evidence of prompt injection, hidden network operations to third-party domains, or unauthorized persistence was found.
Audit Metadata