TestFlight Seat Monitor
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it claims—monitor TestFlight availability—but users should notice its optional scheduled monitoring, local state files, external lookups, and network requests to configured URLs.
Before installing, review the included config file, remove any default monitored link you do not want, and only add TestFlight URLs you intend to monitor. If you enable the cron example, remember it creates ongoing hourly checks. The skill does not request credentials, and the observed network behavior is consistent with checking TestFlight pages and optionally refreshing a public lookup table.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a non-TestFlight URL is added or checked, the skill may make an HTTP request from the user's machine.
The skill fetches a user-supplied URL with curl. This is central to checking TestFlight pages, but the script only checks for an 8-character code suffix and does not restrict the host to testflight.apple.com.
HTML=$(curl -sSL -H "User-Agent: Mozilla/5.0" "$URL" 2>&1 || true)
Only add real TestFlight URLs. Maintainers should validate that URLs use the expected TestFlight domain before fetching them.
The monitor can continue checking links and generating alerts on a schedule after setup.
The instructions show an optional recurring OpenClaw cron job. This persistence is disclosed and fits the monitoring purpose, but it will keep running until the user removes it.
openclaw cron add \ --name "TestFlight Monitor" \ --every 60m
Set up the cron job only if you want ongoing monitoring, and keep track of how to pause or remove it.
App-name lookup results depend on a third-party community data source and could be inaccurate if that source changes.
The optional update command downloads community-maintained lookup data from GitHub and writes it into the local lookup table. This source is disclosed and purpose-aligned.
REPO_URL="https://raw.githubusercontent.com/pluwen/awesome-testflight-link/main/README.md"
Use the update command only if you trust the referenced community repository, and treat app-name mappings as convenience labels rather than authoritative security data.
Private beta links or custom app names placed in the config may remain in the skill directory between runs.
The batch monitor persists configured URLs and last-known status locally so it can detect changes over time. This persistence is expected for the stated purpose.
STATE_FILE="$SKILL_ROOT/config/batch-state.json" CONFIG_FILE="$SKILL_ROOT/config/batch-config.json"
Avoid adding sensitive private beta links unless you are comfortable storing them locally in the skill's config files.
Running the batch checker immediately after installation may check the included Reddit TestFlight link unless the user edits or removes it.
SKILL.md says batch-config.json is user-specific and not shipped with defaults, but the supplied artifact includes a default Reddit TestFlight link. This is a documentation mismatch, not evidence of malicious behavior.
"links": [
"https://testflight.apple.com/join/b9jMyOWt"
]Review config/batch-config.json after installation and remove any default links you do not want monitored.