TestFlight
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only TestFlight automation guide, but it involves sensitive Apple credentials and build distribution actions that should be used deliberately.
Use this skill if you want TestFlight release help, but only provide Apple API keys and signing certificates intentionally. Store credentials in CI secrets or Keychain, avoid committing generated key files, and require confirmation before uploading builds, submitting beta review, or distributing to external tester groups.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unauthorized run could send a beta build to testers or submit it to Apple beta review.
This documented lane can submit a build for beta review and distribute it to external testers. That is purpose-aligned for TestFlight automation, but it is a high-impact account action.
upload_to_testflight(
api_key_path: "fastlane/api_key.json",
distribute_external: true,
groups: ["Beta Testers"],
submit_beta_review: true
)Keep external distribution lanes manual or approval-gated, verify tester groups before running, and avoid letting CI triggers deploy unexpectedly.
Anyone with these secrets could potentially upload builds or modify TestFlight-related app state for the associated Apple developer account.
The workflow requires an App Store Connect API private key with App Manager authority. This is expected for TestFlight automation, but it grants sensitive account-level release permissions.
Role: "App Manager" (minimum for TestFlight) ... APPSTORE_API_KEY_CONTENT="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
Use least-privilege Apple credentials where possible, store .p8/P12 material only in CI secrets or Keychain, never commit api_key.json or certificate files, and rotate keys if exposed.