App Store
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into a real CI/CD setup with valid credentials, this could publish an app release without an additional App Store manual release step.
The documentation shows a release automation example that can submit and automatically release an app, which is high-impact but directly aligned with the skill's app-store publishing purpose.
upload_to_app_store(
submit_for_review: true,
automatic_release: true
)Use manual approvals, staged rollout/phased release, and separate beta versus production lanes before enabling automatic production release.
Mismanaged credentials could allow unauthorized app uploads, track changes, or release-management actions in Apple or Google developer accounts.
The skill describes Apple App Store Connect API keys and a Google Play service account scope that can perform developer-console actions; this is expected for publishing but grants meaningful account authority.
Download .p8 file (only downloadable once) ... scopes=['https://www.googleapis.com/auth/androidpublisher']
Use least-privilege roles, keep keys in CI secret stores, avoid committing credential files, rotate keys periodically, and separate build/upload permissions from production-release permissions.