App Store Connect
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent and limited to Apple’s App Store Connect API, but it uses powerful Apple credentials and documents actions that can change or submit live apps.
Use this skill only with an App Store Connect API key you trust the agent to use. Prefer least-privilege, app-scoped credentials; keep the .p8 key secure; and manually confirm every action that submits builds, changes metadata, adds testers, creates apps or bundle IDs, or affects release status.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with real credentials and IDs, the agent could submit builds, update app metadata, add testers, create apps, or change release settings.
The workflow documents a mutating API call that can submit an app version for review. This is aligned with the skill purpose, but it is a high-impact action.
curl -X POST ... "https://api.appstoreconnect.apple.com/v1/appStoreVersionSubmissions"
Require explicit user confirmation before any upload, POST, PATCH, submission, tester invitation, app creation, or release-management action.
A broadly scoped API key could let the agent make important changes across an Apple developer team account.
The skill requires App Store Connect API credentials that may carry broad developer-account privileges. The documentation does recommend minimal permissions.
Apple Developer Account with Admin or App Manager role ... Admin for full access, App Manager for app-specific
Use an App Manager or app-specific key where possible, avoid Admin unless required, protect the .p8 private key, and rotate keys periodically.
Users could misunderstand that bearer tokens are never transmitted, even though they must be sent to Apple’s API for authentication.
JWTs are generated locally, but the same document shows them being sent to Apple in Authorization headers. This appears to be an imprecise privacy statement rather than hidden exfiltration.
Data that stays local: ... JWT tokens - generated locally
Clarify that the private key stays local, while short-lived JWT bearer tokens are sent only to Apple App Store Connect endpoints.