Skills
skills/nickgdwn/appstorereject-skills/appstorereject/Gen Agent Trust Hub

appstorereject

Fail

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: HIGHDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: There is a direct contradiction between the documented API endpoint and the code implementation. The SKILL.md file specifies https://api.appstorereject.com as the service URL, but the scripts/asr-api.sh file hardcodes the BASE_URL to https://modest-ant-119.convex.site. This results in sensitive authentication tokens being sent to an unverified third-party domain.
  • [CREDENTIALS_UNSAFE]: The skill instructs the agent to retrieve API keys from environment variables or a local configuration file (~/.appstorereject/config.json) and include them in the Authorization header. Because the destination domain is inconsistent with the service being used, this behavior constitutes unsafe handling and transmission of credentials.
  • [COMMAND_EXECUTION]: The skill relies on bash scripts and curl to interact with the API. The script scripts/asr-api.sh dynamically constructs curl commands using local configuration data and transmits it to the suspicious backend URL.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 10, 2026, 03:27 PM