ClawHub

ASC Release Flow

v1.0.0

End-to-end release workflows for TestFlight and App Store using asc publish, builds, versions, and submit commands. Use when asked to upload a build, distribute to TestFlight, or submit to App Store.

1· 1.9k·6 current·6 all-time
by@rudrankriyam
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description match the instructions (App Store Connect release flows). However the skill metadata declares no required binaries or env vars while the runtime instructions clearly assume the 'asc' CLI is available and that Apple credentials (asc auth or ASC_* env vars, ASC_APP_ID) are provided. The missing declarations are disproportionate to the stated purpose.
!
Instruction Scope
SKILL.md instructs the agent to run asc commands that upload IPAs, attach builds, and submit apps — actions that require access to credentials and local IPA files. The instructions mention ASC_* env vars and using 'asc auth login' but those env vars are not declared. Otherwise the instructions stay within App Store Connect scope and do not ask to exfiltrate unrelated files or send data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which is low-risk from an installation perspective. There is nothing being downloaded or written by an installer.
!
Credentials
The SKILL.md references sensitive environment variables (ASC_* and ASC_APP_ID) and implies the need for Apple credentials, but requires.env and primary credential fields are empty. That mismatch is a red flag: the skill will need secrets to operate but doesn't declare them or explain which specific variables are required.
Persistence & Privilege
The skill is not marked always:true and does not request any persistent system-wide privileges. Autonomous invocation is allowed (platform default) but there is no indication the skill modifies other skills or system settings.
Scan Findings in Context
[NO_REGEX_MATCHES] expected: The static scanner found no code or regex matches because this is an instruction-only SKILL.md. That explains the lack of findings; it does not imply the skill is fully safe.
What to consider before installing
This skill appears to be a legitimate App Store Connect release flow, but its metadata omits important requirements. Before installing or invoking it: 1) Verify you have the asc CLI installed and that the agent will not read or transmit secrets you don't want shared. 2) Confirm which ASC_* environment variables are required (e.g., API key ID, issuer ID, private key) and prefer using short-lived or scoped credentials. 3) Only run uploads from a trusted environment and double-check the skill source/owner (no homepage provided). 4) If you plan to allow autonomous invocation, consider the blast radius since uploads and submissions will use your App Store credentials. If anything is unclear, request the skill author add explicit required env vars and documentation before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b3b9eezjb1sg4svdyk915bd802w41

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments