app-release
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or unauthorized data exfiltration attempts were detected. The skill's behavior is consistent with its stated purpose of assisting in the App Store release process.\n- [COMMAND_EXECUTION]: Employs standard CLI tools including
xcodebuild,xcodegen,PlistBuddy, andgitto handle archiving, signing, and uploading. These operations are performed locally and are essential for the release pipeline.\n- [DATA_EXFILTRATION]: Manages sensitive App Store Connect API keys (.p8files). The skill correctly advises storing these in the standard~/.appstoreconnect/directory and emphasizes that secrets should never be printed and temporary copies should be deleted.\n- [INDIRECT_PROMPT_INJECTION]: \n - Ingestion points: The skill fetches existing legal text (Impressum/Privacy Policy) from an external URL during Gate 5 in
references/pipeline.md.\n - Boundary markers: None explicitly defined for the fetched content.\n
- Capability inventory: High capability including shell command execution (
xcodebuild,git) and browser automation.\n - Sanitization: The skill does not describe specific sanitization steps for the imported legal text, though it specifies using it for static site generation.
Audit Metadata