App Store

Name: App Store
Author: ivangdavila

Description

Publish and manage iOS and Android apps with account setup, submission workflows, review compliance, and rejection handling.

README (SKILL.md)

Scope

App Store Connect (iOS) and Google Play Console (Android). Covers the full publishing lifecycle from account creation to updates. For keyword optimization, see app-store-optimization skill.

Account Setup

Platform	Cost	Time	Key Steps
Apple Developer Program	$99/year	1-7 days	Enroll → D-U-N-S (orgs) → Payment → Agreements
Google Play Console	$25 once	Minutes-48h	Register → Identity verification → Payment profile

Apple gotchas:

D-U-N-S number required for organizations (free, takes 1-2 weeks)
Legal entity name must match D-U-N-S exactly
Agreements (Paid Apps, Apple Pay) must be accepted before features work

Google gotchas:

Identity verification can take 48h+ for new accounts
Closed testing track required before production (20+ testers, 14+ days for new apps since 2023)

iOS Signing (The Hard Part)

Asset	What It Is	Where Created	Expires
Distribution Certificate	Your signing identity	Keychain → App Store Connect	1 year
Provisioning Profile	Links cert + app ID + devices	App Store Connect	1 year
App ID	Unique identifier (bundle ID)	App Store Connect	Never

When Xcode says "No signing identity":

Check certificate exists in Keychain Access (login keychain)
Check provisioning profile includes that certificate
Check bundle ID in Xcode matches App ID exactly
Revoke and recreate if nothing else works

Automatic vs Manual Signing:

Automatic: Xcode manages everything (fine for solo devs)
Manual: Required for CI/CD, teams, or multiple apps
Never mix — pick one approach per project

Submission Checklist

Pre-submit verification (both platforms):

Privacy policy URL live and accessible
All required permissions have usage descriptions
App works without network (or handles offline gracefully)
No placeholder content, "lorem ipsum", or test data
Screenshots match actual app UI (no misleading marketing)
Contact support email valid and monitored

iOS-specific:

Export Compliance (ITSAppUsesNonExemptEncryption in Info.plist)
App Tracking Transparency if using IDFA
Privacy manifest (PrivacyInfo.xcprivacy) for required APIs

Android-specific:

Target SDK meets current requirement (currently API 34)
Data safety form completed
Content rating questionnaire filled
20+ testers on closed track for 14+ days (new apps)

Common Rejections

Code	Meaning	Fix
4.2 (iOS)	Minimum functionality	Add features, or argue value proposition in appeal
4.3 (iOS)	Spam/duplicate	Differentiate significantly from your other apps
5.1.1 (iOS)	Data collection	Implement App Tracking Transparency, update privacy manifest
2.1 (iOS)	Crashes/bugs	Test on real devices, check Crashlytics
Deceptive behavior (Android)	Misleading metadata	Match screenshots to real functionality
Broken functionality (Android)	App doesn't work as described	Full QA on production build

Appeal strategy:

Read rejection reason carefully (don't assume)
If misunderstanding: Explain with screenshots, video if needed
If valid: Fix issue, note what changed in resolution notes
Never resubmit identical binary hoping for different reviewer

Review Timeline

Platform	Typical	Expedited	Slower Periods
Apple	24-48h	Request via App Review form	New iOS launches, holidays
Google	2-6h	N/A	Initial submissions, policy violations

Apple expedited review: Only for critical bugs, time-sensitive events. Overuse = ignored.

Monetization Setup

In-app purchases (IAP):

Create products in App Store Connect / Play Console
Implement StoreKit (iOS) / BillingClient (Android)
Set up server-side receipt validation (don't trust client)
Handle sandbox vs production environments

Subscriptions:

Configure introductory offers, free trials, grace periods
Implement subscription lifecycle: renewal, cancellation, billing retry
Server notifications endpoint for real-time status updates
Test with sandbox accounts (both platforms have quirks)

Revenue splits: Apple/Google take 15-30% (15% for Small Business Program or after year 1 of subscription).

Multi-App Management

Organization structure:

Apple: One enrollment, multiple apps, team roles per app
Google: One developer account, multiple apps, user permissions

Team roles (critical):

Separate "submit builds" from "release to production"
Marketing should access metadata only
Finance sees revenue, not code

Cross-platform releases:

Submit iOS first (longer review)
Hold Android release until iOS approved
Use phased rollout to catch issues early

When to Load More

Situation	Reference
Keyword optimization, A/B testing	`app-store-optimization` skill
Generating release notes from git	`app-store-changelog` skill
TestFlight/internal testing setup	`testing.md`
CI/CD automation (fastlane, APIs)	`automation.md`

Usage Guidance

This appears to be a legitimate publishing guide, but there are important mismatches you should consider before installing or using it: (1) The SKILL.md expects Apple .p8 keys, Issuer/Key IDs, and a Google service-account JSON plus tools like fastlane/gradle/generate_jwt, yet the skill metadata lists no required credentials or binaries — treat that as a warning sign. (2) Do not upload or paste your key.p8 or service-account.json into untrusted places; only store them in encrypted CI secrets or secure vaults. (3) If an agent implements these instructions, ensure it will not read local key files or environment variables unless you explicitly provide them and trust the skill source. (4) Verify the skill author/source before giving any credentials; prefer generating keys and granting least privilege (service account scopes) and using official tooling and documented CI secret storage. If you proceed, plan to supply credentials only in secure CI/secret storage and double-check any automation that might push signing material to git.

Capability Analysis

Type: OpenClaw Skill Name: app-store Version: 1.0.0 The `automation.md` file contains direct shell commands (`curl`) and Python code snippets intended for CI/CD automation. These instructions demonstrate how to authenticate and interact with Apple App Store Connect and Google Play Developer APIs using sensitive credentials (e.g., `.p8` private keys, `service-account.json`). While the described operations are legitimate for app publishing, the presence of executable commands that require access to local sensitive files creates a significant vulnerability. If an AI agent were to execute these instructions without proper sandboxing or strict user consent for credential access, it could lead to unauthorized API calls or actions on external platforms, classifying it as suspicious due to the potential for abuse, even without explicit malicious intent.

Capability Assessment

⚠ Purpose & Capability

The name/description match the SKILL.md content (App Store Connect and Google Play workflows). However, the skill metadata declares no required env vars, binaries, or config paths while the instructions explicitly rely on App Store Connect .p8 keys (Issuer ID, Key ID, key.p8), Google service-account JSON, fastlane, Xcode/Gradle, and a generate_jwt tool. A legit publishing workflow would require those credentials/tools; their absence from the declared requirements is an incoherence.

⚠ Instruction Scope

SKILL.md contains step-by-step instructions that reference reading local credential files (key.p8, service-account.json) and environment variables ($ISSUER_ID, $KEY_ID) and running tooling (fastlane, generate_jwt, gradle) even though none are declared. It also discusses storing signing material with fastlane match (which can encourage insecure practices if done incorrectly). The instructions therefore assume access to sensitive secrets and system tooling beyond what the skill metadata advertises.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no bundled code or downloads, which is lower risk. There are no remote install URLs or extracted archives. That said, the instructions instruct use of external tools (fastlane, gradle, Xcode, generate_jwt) but do not provide an install mechanism for them.

⚠ Credentials

The guidance clearly requires sensitive artifacts (Apple .p8 + Issuer/Key IDs; Google service-account JSON) and CI secrets, but the skill declares no required environment variables or config paths. This mismatch means a user (or an agent) following the skill might be prompted to provide high-value credentials without the registry metadata signalling that need. The guidance also mentions storing certs in git or cloud storage (fastlane match) — which is potentially risky unless properly encrypted and controlled.

✓ Persistence & Privilege

The skill is not marked always:true and is user-invocable only. It does not request persistent system presence or modification of other skills. Autonomous invocation is allowed (platform default), but there is no evidence the skill self-installs or persists credentials on its own.

Version History

v1.0.0

Initial release

Metadata

Slug app-store

Version 1.0.0

License —

All-time Installs 2

Active Installs 2

Total Versions 1

Frequently Asked Questions

What is App Store?

Publish and manage iOS and Android apps with account setup, submission workflows, review compliance, and rejection handling. It is an AI Agent Skill for Claude Code / OpenClaw, with 864 downloads so far.

How do I install App Store?

Run "/install app-store" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is App Store free?

Yes, App Store is completely free (open-source). You can download, install and use it at no cost.

Which platforms does App Store support?

App Store is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created App Store?

It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.

More Skills