App Store
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent app-publishing guide, but it discusses powerful store credentials and release automation that users should handle carefully.
Installers should treat this as a publishing playbook: review any automation before use, keep App Store and Play Console credentials in secret managers, restrict production-release permissions, and require a human approval step before public releases.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into a real CI/CD setup with valid credentials, this could publish an app release without an additional App Store manual release step.
The documentation shows a release automation example that can submit and automatically release an app, which is high-impact but directly aligned with the skill's app-store publishing purpose.
upload_to_app_store(
submit_for_review: true,
automatic_release: true
)Use manual approvals, staged rollout/phased release, and separate beta versus production lanes before enabling automatic production release.
Mismanaged credentials could allow unauthorized app uploads, track changes, or release-management actions in Apple or Google developer accounts.
The skill describes Apple App Store Connect API keys and a Google Play service account scope that can perform developer-console actions; this is expected for publishing but grants meaningful account authority.
Download .p8 file (only downloadable once) ... scopes=['https://www.googleapis.com/auth/androidpublisher']
Use least-privilege roles, keep keys in CI secret stores, avoid committing credential files, rotate keys periodically, and separate build/upload permissions from production-release permissions.