appstorereject-resolve
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses curl to communicate with the api.appstorereject.com domain to search for rejection guidelines and fetch detailed resolution strategies.
- [DATA_EXFILTRATION]: The skill transmits the detected application bundle identifier and the resolution outcome to the vendor's API for reporting purposes. This is a functional feature consistent with the skill's purpose.
- [PROMPT_INJECTION]: The skill ingests resolution data from an external API to propose code modifications, creating a surface for indirect prompt injection. Ingestion point: api.appstorereject.com/api/rejections/detail; Boundary markers: Absent; Capability inventory: Local codebase analysis and code fix proposal; Sanitization: Absent.
- [CREDENTIALS_UNSAFE]: The skill employs standard security practices by instructing the user to store the API key in an environment variable ($ASR_API_KEY) rather than hardcoding credentials.
Audit Metadata