ClawHub
Back to skill
v1.0.0

Fastlane

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:42 AM.

Analysis

This Fastlane skill is mostly purpose-aligned, but it asks agents to handle Apple/App Store credentials and run commands that can upload, submit, release, or modify apps and testers.

GuidanceOnly install this if you are comfortable letting the agent help with App Store/TestFlight operations. Use scoped API keys instead of Apple ID passwords where possible, keep signing secrets protected, and require explicit confirmation before any upload, release, tester-management, force, or reject command.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
fastlane deliver --ipa "/path/to/App.ipa" --submit_for_review ... `--automatic_release` | Release automatically after approval | `--force` | Skip HTML preview verification | `--reject_if_possible` | Reject current version before uploading

The skill documents direct CLI actions and flags that can submit, release, force, or replace App Store versions, but the visible instructions do not add explicit user-confirmation or safety checks before those high-impact actions.

User impactAn agent following the skill could make public or business-impacting App Store/TestFlight changes if given the right credentials and project paths.
RecommendationRequire explicit user confirmation before any upload, tester-management, submit-for-review, automatic-release, force, or reject action; confirm app identifier, build number, target account, and reversibility first.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
brew install fastlane ... sudo gem install fastlane -NV

The documented install paths pull an external Fastlane package, and the RubyGems option uses sudo. This is expected for a Fastlane CLI skill, but it is still a supply-chain and privilege point users should notice.

User impactInstalling the wrong or compromised package could execute code on the local Mac with the privileges used for installation.
RecommendationPrefer official Fastlane installation sources, verify the package source, consider pinning versions in managed environments, and avoid sudo-based gem installation unless necessary.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
export APP_STORE_CONNECT_API_KEY_KEY_FILEPATH="/path/to/AuthKey_XXXXXXXXXX.p8" ... export FASTLANE_PASSWORD="app-specific-password" ... `MATCH_PASSWORD` | Encryption password for match certificates repo

The skill instructs users to configure App Store Connect private keys, Apple ID/app-specific passwords, and signing repository secrets. These are powerful credentials, and the registry metadata declares no required credentials or environment variables.

User impactIf misused or over-scoped, these credentials could allow app uploads, signing changes, TestFlight distribution, App Store submissions, or access to signing materials.
RecommendationUse least-privileged App Store Connect API keys scoped to the needed app, avoid sharing Apple ID passwords where possible, store secrets in a dedicated secrets manager, and expose them only for the specific command being run.