Google Play Store
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: google-play-store Version: 1.0.0 The OpenClaw AgentSkills skill bundle for 'google-play-store' is classified as benign. The `SKILL.md` explicitly states that the skill does NOT store credentials, make network requests, or execute Fastlane commands directly, clarifying that Fastlane examples in `fastlane.md` are for the user's CI/CD systems. The `memory-template.md` further reinforces that no sensitive data is stored locally. All instructions for the agent are focused on providing guidance and managing non-sensitive metadata related to Google Play Store processes, without any evidence of malicious prompt injection, data exfiltration, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the agent or user workflows may have authority to upload or promote Android app releases through Google Play.
The skill documents use of a Google Play service-account JSON key with release-manager permissions, which is expected for release automation but can modify app releases.
Google Play API requires a service account... Download JSON key... Grant service account access... Set permissions (Release manager for uploads)
Use the least-privileged Play Console role that supports the needed task, keep the JSON key out of memory files and source control, and require human review before release actions.
Running the documented commands can change what users receive from the Play Store and may affect ratings, revenue, or account standing if used incorrectly.
The documentation includes Fastlane commands that can publish staged or full production rollouts. These are purpose-aligned examples, not hidden automatic execution.
fastlane supply --aab app-release.aab --track production --rollout 0.1 ... fastlane supply --track production --rollout 1.0
Treat production uploads and rollout increases as approval-required actions; run the pre-submission checklist and prefer internal, closed, or staged rollouts first.
Installing Fastlane adds a third-party tool to the release environment.
The skill suggests installing an external automation tool from package managers. This is central to Fastlane automation and is disclosed.
brew install fastlane ... gem install fastlane
Install Fastlane from trusted package sources, pin versions in CI where practical, and review generated Fastlane configuration before use.
Future interactions may reuse stored app and release context, and local files may reveal app plans or past policy issues to anyone with filesystem access.
The skill stores persistent local notes about the user's apps and workflow, which is disclosed and scoped but may contain business-sensitive context if the user adds it.
In `~/google-play-store/memory.md`: Integration preferences; Apps they manage; Their workflow (CI/CD vs manual); Past issues and lessons learned
Keep credentials and confidential business details out of the memory files, periodically review the stored notes, and delete entries that should not persist.