app-release

Pass

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [SAFE]: No malicious patterns, obfuscation, or unauthorized data exfiltration attempts were detected. The skill's behavior is consistent with its stated purpose of assisting in the App Store release process.\n- [COMMAND_EXECUTION]: Employs standard CLI tools including xcodebuild, xcodegen, PlistBuddy, and git to handle archiving, signing, and uploading. These operations are performed locally and are essential for the release pipeline.\n- [DATA_EXFILTRATION]: Manages sensitive App Store Connect API keys (.p8 files). The skill correctly advises storing these in the standard ~/.appstoreconnect/ directory and emphasizes that secrets should never be printed and temporary copies should be deleted.\n- [INDIRECT_PROMPT_INJECTION]: \n
  • Ingestion points: The skill fetches existing legal text (Impressum/Privacy Policy) from an external URL during Gate 5 in references/pipeline.md.\n
  • Boundary markers: None explicitly defined for the fetched content.\n
  • Capability inventory: High capability including shell command execution (xcodebuild, git) and browser automation.\n
  • Sanitization: The skill does not describe specific sanitization steps for the imported legal text, though it specifies using it for static site generation.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 20, 2026, 10:10 PM
Security Audit — agent-trust-hub — app-release