App Store Connect
v1.0.0Manage iOS apps, TestFlight builds, submissions, and analytics via App Store Connect API.
⭐ 1· 852·2 current·2 all-time
byIván@ivangdavila
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required env vars (ASC_ISSUER_ID, ASC_KEY_ID, ASC_PRIVATE_KEY_PATH), and the documented API endpoints (api.appstoreconnect.apple.com) are coherent for an App Store Connect integration. No unrelated services, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are detailed and constrained to JWT generation, calling Apple API endpoints, build/upload and TestFlight workflows. The docs explicitly instruct generating JWTs locally and not transmitting the .p8 file. Commands reference macOS tooling (xcrun/Transporter) where appropriate, and all file/env accesses mentioned map to the declared requirements.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is downloaded or written to disk by the skill itself. That minimizes install-time risk.
Credentials
The three required env vars are appropriate for JWT-based App Store Connect access. Note: ASC_PRIVATE_KEY_PATH implies the agent/process will need read access to your .p8 file to generate tokens — make sure the file is stored securely and the provided path is correct and restricted to trusted users.
Persistence & Privilege
always is false and the skill does not request persistent system-level changes or access to other skills' configs. The skill can be invoked autonomously per platform default, which is expected for skills of this type.
Assessment
This skill appears coherent for managing App Store Connect. Before installing: (1) ensure you trust the agent because it will need read access to the .p8 private key at the path you provide; (2) keep the .p8 file out of version control and in a restricted location, and rotate keys if you suspect compromise; (3) prefer least-privilege roles (App Manager vs Admin) for the API key where possible; (4) note macOS-only tooling references (xcrun/Transporter) — those commands won't run on Linux/Windows but API calls still work; (5) if you do not want the skill acting without confirmation, limit its use or check your agent's autonomy settings prior to enabling.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🍎 Clawdis
OSLinux · macOS · Windows
EnvASC_ISSUER_ID, ASC_KEY_ID, ASC_PRIVATE_KEY_PATH
latest
When to Use
User needs to manage iOS/macOS apps on App Store Connect. Agent handles API authentication, build management, TestFlight distribution, App Review submissions, and analytics retrieval.
Quick Reference
| Topic | File |
|---|---|
| API Authentication | api-auth.md |
| Common Workflows | workflows.md |
Core Rules
1. JWT Authentication Required
App Store Connect API uses JWT tokens signed with your private key.
# Required environment variables:
# ASC_ISSUER_ID - From App Store Connect > Users > Keys
# ASC_KEY_ID - From the API key you created
# ASC_PRIVATE_KEY_PATH - Path to your .p8 private key file
Generate JWT with ES256 algorithm, 20-minute expiration max. See api-auth.md for code examples.
2. API Versioning
Always specify API version in requests.
curl -H "Authorization: Bearer $JWT" \
"https://api.appstoreconnect.apple.com/v1/apps"
Current stable version: v1. Check Apple docs for v2 endpoints.
3. Build Processing States
Builds go through states after upload:
| State | Meaning | Action |
|---|---|---|
| PROCESSING | Upload received, processing | Wait |
| FAILED | Processing failed | Check logs |
| INVALID | Validation failed | Fix issues, re-upload |
| VALID | Ready for testing/submission | Proceed |
Never submit a build that is not VALID.
4. TestFlight Distribution
- Internal Testing: Up to 100 members, builds available immediately after processing
- External Testing: Up to 10,000 testers, requires Beta App Review for first build of version
- External groups need at least: app description, feedback email, privacy policy URL
5. App Review Submission
Before submitting for review:
- All required metadata complete (descriptions, keywords, screenshots)
- App Preview videos under 30 seconds
- Privacy policy URL valid and accessible
- Contact information current
Submission creates an appStoreVersion in PENDING_DEVELOPER_RELEASE or WAITING_FOR_REVIEW.
6. Rate Limits
API has rate limits per hour. Handle 429 responses with exponential backoff.
# Respect Retry-After header
HTTP/1.1 429 Too Many Requests
Retry-After: 60
7. Bundle ID Management
Bundle IDs are permanent once created. Cannot be deleted or renamed.
- Use reverse-domain notation:
com.company.appname - Plan naming carefully before registration
- Each bundle ID can only belong to one team
Common Traps
- Expired JWT - Tokens expire in 20 min max. Regenerate before long operations.
- Wrong key permissions - API keys need specific roles (Admin, App Manager, etc.)
- Missing export compliance - Apps with encryption need ECCN or exemption documentation
- Build version collision - Each build needs unique version+build number combo
- Screenshot dimensions - Must match exactly for each device type (no scaling)
- Phased release confusion - Phased release is for App Store only, not TestFlight
External Endpoints
| Endpoint | Data Sent | Purpose |
|---|---|---|
| api.appstoreconnect.apple.com | App metadata, build info | App Store Connect API |
No other data is sent externally.
Security & Privacy
Data that leaves your machine:
- App metadata sent to Apple for App Store listing
- Build information for processing
- Analytics queries
Data that stays local:
- API private key (.p8) - never transmit
- JWT tokens - generated locally
- Downloaded reports
This skill does NOT:
- Store your .p8 key in plain text
- Share credentials with third parties
- Access apps outside your team
Related Skills
Install with clawhub install <slug> if user confirms:
ios— iOS development patternsswift— Swift language referencexcode— Xcode IDE workflows
Feedback
- If useful:
clawhub star app-store-connect - Stay updated:
clawhub sync
Comments
Loading comments...