ClawHub

TestFlight

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: testflight Version: 1.0.0 The skill is designed for legitimate CI/CD operations involving TestFlight, but it demonstrates several high-risk capabilities. It includes direct shell command execution examples (`xcrun altool`, `security`, `base64 -d`, `echo > file`) in `SKILL.md` and `ci-cd.md`. These commands handle sensitive cryptographic materials (API keys, P12 certificates, provisioning profiles) by decoding them from environment variables and writing them to files. While necessary for the stated purpose, these operations present a significant attack surface for shell injection or sensitive data exposure if the AI agent's input sanitization is insufficient, making the skill suspicious due to potential vulnerabilities rather than explicit malicious intent.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

A mistaken or unauthorized run could send a beta build to testers or submit it to Apple beta review.

Why it was flagged

This documented lane can submit a build for beta review and distribute it to external testers. That is purpose-aligned for TestFlight automation, but it is a high-impact account action.

Skill content
upload_to_testflight(
    api_key_path: "fastlane/api_key.json",
    distribute_external: true,
    groups: ["Beta Testers"],
    submit_beta_review: true
  )
Recommendation

Keep external distribution lanes manual or approval-gated, verify tester groups before running, and avoid letting CI triggers deploy unexpectedly.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Anyone with these secrets could potentially upload builds or modify TestFlight-related app state for the associated Apple developer account.

Why it was flagged

The workflow requires an App Store Connect API private key with App Manager authority. This is expected for TestFlight automation, but it grants sensitive account-level release permissions.

Skill content
Role: "App Manager" (minimum for TestFlight)
...
APPSTORE_API_KEY_CONTENT="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
Recommendation

Use least-privilege Apple credentials where possible, store .p8/P12 material only in CI secrets or Keychain, never commit api_key.json or certificate files, and rotate keys if exposed.