Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
App Store
v1.0.0Publish and manage iOS and Android apps with account setup, submission workflows, review compliance, and rejection handling.
⭐ 3· 794·2 current·2 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md content (App Store Connect and Google Play workflows). However, the skill metadata declares no required env vars, binaries, or config paths while the instructions explicitly rely on App Store Connect .p8 keys (Issuer ID, Key ID, key.p8), Google service-account JSON, fastlane, Xcode/Gradle, and a generate_jwt tool. A legit publishing workflow would require those credentials/tools; their absence from the declared requirements is an incoherence.
Instruction Scope
SKILL.md contains step-by-step instructions that reference reading local credential files (key.p8, service-account.json) and environment variables ($ISSUER_ID, $KEY_ID) and running tooling (fastlane, generate_jwt, gradle) even though none are declared. It also discusses storing signing material with fastlane match (which can encourage insecure practices if done incorrectly). The instructions therefore assume access to sensitive secrets and system tooling beyond what the skill metadata advertises.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code or downloads, which is lower risk. There are no remote install URLs or extracted archives. That said, the instructions instruct use of external tools (fastlane, gradle, Xcode, generate_jwt) but do not provide an install mechanism for them.
Credentials
The guidance clearly requires sensitive artifacts (Apple .p8 + Issuer/Key IDs; Google service-account JSON) and CI secrets, but the skill declares no required environment variables or config paths. This mismatch means a user (or an agent) following the skill might be prompted to provide high-value credentials without the registry metadata signalling that need. The guidance also mentions storing certs in git or cloud storage (fastlane match) — which is potentially risky unless properly encrypted and controlled.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only. It does not request persistent system presence or modification of other skills. Autonomous invocation is allowed (platform default), but there is no evidence the skill self-installs or persists credentials on its own.
What to consider before installing
This appears to be a legitimate publishing guide, but there are important mismatches you should consider before installing or using it: (1) The SKILL.md expects Apple .p8 keys, Issuer/Key IDs, and a Google service-account JSON plus tools like fastlane/gradle/generate_jwt, yet the skill metadata lists no required credentials or binaries — treat that as a warning sign. (2) Do not upload or paste your key.p8 or service-account.json into untrusted places; only store them in encrypted CI secrets or secure vaults. (3) If an agent implements these instructions, ensure it will not read local key files or environment variables unless you explicitly provide them and trust the skill source. (4) Verify the skill author/source before giving any credentials; prefer generating keys and granting least privilege (service account scopes) and using official tooling and documented CI secret storage. If you proceed, plan to supply credentials only in secure CI/secret storage and double-check any automation that might push signing material to git.Like a lobster shell, security has layers — review code before you run it.
latestvk971v67h5ak7m9sas42bekcre9810s55
License
MIT-0
Free to use, modify, and redistribute. No attribution required.