Skills
skills/tddworks/asc-cli-skills/asc-xcode-cloud/Gen Agent Trust Hub

asc-xcode-cloud

Pass

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is designed to execute the asc CLI tool for managing Xcode Cloud products, workflows, and builds.
  • [CREDENTIALS_UNSAFE]: The documentation references the path ~/.asc/AuthKey.p8, which points to a sensitive App Store Connect API private key file used for authentication.
  • [PROMPT_INJECTION]: The skill implements a 'CAEOAS Affordances' pattern, instructing the agent to run command strings extracted directly from JSON responses of previous commands. This creates a surface for indirect prompt injection if the output from the tool or API is compromised.
  • Ingestion points: JSON output from asc CLI commands in SKILL.md.
  • Boundary markers: Absent; the agent is told to 'just run the command from the affordance of the previous response'.
  • Capability inventory: Extensive shell command execution capabilities via the asc tool for CI/CD management as detailed in SKILL.md and references/commands.md.
  • Sanitization: Absent; no validation or sanitization of the affordance strings is described before execution.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 14, 2026, 06:21 AM