← Back to Skills Marketplace
901
Downloads
1
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install app-store-connect
Description
Manage iOS apps, TestFlight builds, submissions, and analytics via App Store Connect API.
README (SKILL.md)
When to Use
User needs to manage iOS/macOS apps on App Store Connect. Agent handles API authentication, build management, TestFlight distribution, App Review submissions, and analytics retrieval.
Quick Reference
| Topic | File |
|---|---|
| API Authentication | api-auth.md |
| Common Workflows | workflows.md |
Core Rules
1. JWT Authentication Required
App Store Connect API uses JWT tokens signed with your private key.
# Required environment variables:
# ASC_ISSUER_ID - From App Store Connect > Users > Keys
# ASC_KEY_ID - From the API key you created
# ASC_PRIVATE_KEY_PATH - Path to your .p8 private key file
Generate JWT with ES256 algorithm, 20-minute expiration max. See api-auth.md for code examples.
2. API Versioning
Always specify API version in requests.
curl -H "Authorization: Bearer $JWT" \
"https://api.appstoreconnect.apple.com/v1/apps"
Current stable version: v1. Check Apple docs for v2 endpoints.
3. Build Processing States
Builds go through states after upload:
| State | Meaning | Action |
|---|---|---|
| PROCESSING | Upload received, processing | Wait |
| FAILED | Processing failed | Check logs |
| INVALID | Validation failed | Fix issues, re-upload |
| VALID | Ready for testing/submission | Proceed |
Never submit a build that is not VALID.
4. TestFlight Distribution
- Internal Testing: Up to 100 members, builds available immediately after processing
- External Testing: Up to 10,000 testers, requires Beta App Review for first build of version
- External groups need at least: app description, feedback email, privacy policy URL
5. App Review Submission
Before submitting for review:
- All required metadata complete (descriptions, keywords, screenshots)
- App Preview videos under 30 seconds
- Privacy policy URL valid and accessible
- Contact information current
Submission creates an appStoreVersion in PENDING_DEVELOPER_RELEASE or WAITING_FOR_REVIEW.
6. Rate Limits
API has rate limits per hour. Handle 429 responses with exponential backoff.
# Respect Retry-After header
HTTP/1.1 429 Too Many Requests
Retry-After: 60
7. Bundle ID Management
Bundle IDs are permanent once created. Cannot be deleted or renamed.
- Use reverse-domain notation:
com.company.appname - Plan naming carefully before registration
- Each bundle ID can only belong to one team
Common Traps
- Expired JWT - Tokens expire in 20 min max. Regenerate before long operations.
- Wrong key permissions - API keys need specific roles (Admin, App Manager, etc.)
- Missing export compliance - Apps with encryption need ECCN or exemption documentation
- Build version collision - Each build needs unique version+build number combo
- Screenshot dimensions - Must match exactly for each device type (no scaling)
- Phased release confusion - Phased release is for App Store only, not TestFlight
External Endpoints
| Endpoint | Data Sent | Purpose |
|---|---|---|
| api.appstoreconnect.apple.com | App metadata, build info | App Store Connect API |
No other data is sent externally.
Security & Privacy
Data that leaves your machine:
- App metadata sent to Apple for App Store listing
- Build information for processing
- Analytics queries
Data that stays local:
- API private key (.p8) - never transmit
- JWT tokens - generated locally
- Downloaded reports
This skill does NOT:
- Store your .p8 key in plain text
- Share credentials with third parties
- Access apps outside your team
Related Skills
Install with clawhub install \x3Cslug> if user confirms:
ios— iOS development patternsswift— Swift language referencexcode— Xcode IDE workflows
Feedback
- If useful:
clawhub star app-store-connect - Stay updated:
clawhub sync
Usage Guidance
This skill appears coherent for managing App Store Connect. Before installing: (1) ensure you trust the agent because it will need read access to the .p8 private key at the path you provide; (2) keep the .p8 file out of version control and in a restricted location, and rotate keys if you suspect compromise; (3) prefer least-privilege roles (App Manager vs Admin) for the API key where possible; (4) note macOS-only tooling references (xcrun/Transporter) — those commands won't run on Linux/Windows but API calls still work; (5) if you do not want the skill acting without confirmation, limit its use or check your agent's autonomy settings prior to enabling.
Capability Analysis
Type: OpenClaw Skill
Name: app-store-connect
Version: 1.0.0
This skill bundle is designed to manage iOS/macOS apps via the App Store Connect API. All files consistently demonstrate a clear, legitimate purpose. Credentials (private keys, issuer IDs, key IDs) are handled securely by requiring them as environment variables and explicitly stating that private keys are never transmitted. All network requests are directed exclusively to the official `api.appstoreconnect.apple.com` endpoint, as confirmed by `SKILL.md` and all `curl` examples in `api-auth.md` and `workflows.md`. There is no evidence of data exfiltration to unauthorized endpoints, malicious code execution, persistence mechanisms, or prompt injection attempts against the agent. A minor typo (`application/a]gzip`) in `workflows.md` is a benign bug, not indicative of malice.
Capability Assessment
Purpose & Capability
Name/description, required env vars (ASC_ISSUER_ID, ASC_KEY_ID, ASC_PRIVATE_KEY_PATH), and the documented API endpoints (api.appstoreconnect.apple.com) are coherent for an App Store Connect integration. No unrelated services, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are detailed and constrained to JWT generation, calling Apple API endpoints, build/upload and TestFlight workflows. The docs explicitly instruct generating JWTs locally and not transmitting the .p8 file. Commands reference macOS tooling (xcrun/Transporter) where appropriate, and all file/env accesses mentioned map to the declared requirements.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is downloaded or written to disk by the skill itself. That minimizes install-time risk.
Credentials
The three required env vars are appropriate for JWT-based App Store Connect access. Note: ASC_PRIVATE_KEY_PATH implies the agent/process will need read access to your .p8 file to generate tokens — make sure the file is stored securely and the provided path is correct and restricted to trusted users.
Persistence & Privilege
always is false and the skill does not request persistent system-level changes or access to other skills' configs. The skill can be invoked autonomously per platform default, which is expected for skills of this type.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install app-store-connect - After installation, invoke the skill by name or use
/app-store-connect - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is App Store Connect?
Manage iOS apps, TestFlight builds, submissions, and analytics via App Store Connect API. It is an AI Agent Skill for Claude Code / OpenClaw, with 901 downloads so far.
How do I install App Store Connect?
Run "/install app-store-connect" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is App Store Connect free?
Yes, App Store Connect is completely free (open-source). You can download, install and use it at no cost.
Which platforms does App Store Connect support?
App Store Connect is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).
Who created App Store Connect?
It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.
More Skills