App Store Connect
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with real credentials and IDs, the agent could submit builds, update app metadata, add testers, create apps, or change release settings.
The workflow documents a mutating API call that can submit an app version for review. This is aligned with the skill purpose, but it is a high-impact action.
curl -X POST ... "https://api.appstoreconnect.apple.com/v1/appStoreVersionSubmissions"
Require explicit user confirmation before any upload, POST, PATCH, submission, tester invitation, app creation, or release-management action.
A broadly scoped API key could let the agent make important changes across an Apple developer team account.
The skill requires App Store Connect API credentials that may carry broad developer-account privileges. The documentation does recommend minimal permissions.
Apple Developer Account with Admin or App Manager role ... Admin for full access, App Manager for app-specific
Use an App Manager or app-specific key where possible, avoid Admin unless required, protect the .p8 private key, and rotate keys periodically.
Users could misunderstand that bearer tokens are never transmitted, even though they must be sent to Apple’s API for authentication.
JWTs are generated locally, but the same document shows them being sent to Apple in Authorization headers. This appears to be an imprecise privacy statement rather than hidden exfiltration.
Data that stays local: ... JWT tokens - generated locally
Clarify that the private key stays local, while short-lived JWT bearer tokens are sent only to Apple App Store Connect endpoints.