Skills
skills/tddworks/asc-cli-skills/asc-testflight/Gen Agent Trust Hub

asc-testflight

Warn

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructions explicitly utilize a sensitive Apple private key file for authentication.
  • Evidence: The path ~/.asc/AuthKey.p8 is used in the asc auth login command.
  • [DATA_EXFILTRATION]: Accessing the App Store Connect API key and project configuration files (.asc/project.json) creates a risk of exposing sensitive developer credentials if the agent's environment is compromised.
  • [COMMAND_EXECUTION]: The skill relies on executing the asc command-line utility to interact with Apple services.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the ingestion of external data.
  • Ingestion points: The skill reads data from .asc/project.json and user-supplied CSV files (testers.csv).
  • Boundary markers: Absent; there are no explicit delimiters or warnings to ignore instructions embedded within the processed data.
  • Capability inventory: The skill can execute subprocess commands (asc) and write data to files via redirection.
  • Sanitization: Absent; the skill does not specify any validation or filtering of the CSV or JSON content before it is used.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 14, 2026, 06:21 AM