App Store
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: app-store Version: 1.0.0 The `automation.md` file contains direct shell commands (`curl`) and Python code snippets intended for CI/CD automation. These instructions demonstrate how to authenticate and interact with Apple App Store Connect and Google Play Developer APIs using sensitive credentials (e.g., `.p8` private keys, `service-account.json`). While the described operations are legitimate for app publishing, the presence of executable commands that require access to local sensitive files creates a significant vulnerability. If an AI agent were to execute these instructions without proper sandboxing or strict user consent for credential access, it could lead to unauthorized API calls or actions on external platforms, classifying it as suspicious due to the potential for abuse, even without explicit malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into a real CI/CD setup with valid credentials, this could publish an app release without an additional App Store manual release step.
The documentation shows a release automation example that can submit and automatically release an app, which is high-impact but directly aligned with the skill's app-store publishing purpose.
upload_to_app_store(
submit_for_review: true,
automatic_release: true
)Use manual approvals, staged rollout/phased release, and separate beta versus production lanes before enabling automatic production release.
Mismanaged credentials could allow unauthorized app uploads, track changes, or release-management actions in Apple or Google developer accounts.
The skill describes Apple App Store Connect API keys and a Google Play service account scope that can perform developer-console actions; this is expected for publishing but grants meaningful account authority.
Download .p8 file (only downloadable once) ... scopes=['https://www.googleapis.com/auth/androidpublisher']
Use least-privilege roles, keep keys in CI secret stores, avoid committing credential files, rotate keys periodically, and separate build/upload permissions from production-release permissions.