Expo App Store Deploy

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent Expo app deployment guide, but its commands can build and submit production apps using app-store accounts, so users should approve those actions carefully.

Install this skill only if you want help deploying an Expo app. Treat build, submit, non-interactive, and auto-submit commands as actions that need explicit confirmation, and verify the project, app identifier, account, and build ID before running them.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

If run on the wrong project, platform, or build ID, the user could submit an unintended production app build for review or release workflows.

Why it was flagged

These commands can submit production mobile app builds to Apple or Google, including a combined build-and-submit path.

Skill content

npx eas-cli submit --platform ios --id <BUILD_ID>
npx eas-cli submit --platform android --id <BUILD_ID>

# Build + submit in one step
npx eas-cli build --platform ios --profile production --auto-submit

Recommendation

Before running submit or auto-submit commands, confirm the app project, bundle/package ID, EAS profile, platform, and build ID with the user.

#ASI03: Identity and Privilege Abuse

Medium

What this means

The agent may guide actions that use developer-account privileges, app signing credentials, or store submission authority.

Why it was flagged

The deployment workflow depends on privileged Apple and Google developer account access, which is expected for the stated purpose.

Skill content

# iOS: first-time (interactive Apple login required)
...
1. Apple Developer Program active
2. Google Play Console + identity verification complete

Recommendation

Use only the intended developer accounts and projects, and avoid sharing credentials directly in chat; prefer official EAS and store login flows.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The CLI version used at runtime may vary depending on the npm registry and local environment.

Why it was flagged

The skill relies on npx to run the EAS CLI, but the artifacts do not pin a package version or include an install specification.

Skill content

`eas-cli` installed: `npx eas-cli --version`

Recommendation

Consider installing or invoking a known trusted version of eas-cli, and verify the package source before deployment.