← Back to Skills Marketplace
App Store Changelog
by
TobeyRebecca
· GitHub ↗
· v1.0.0
· MIT-0
97
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install toby-app-store-changelog
Description
Create user-facing App Store release notes by collecting and summarizing all user-impacting changes since the last git tag (or a specified ref). Use when ask...
Usage Guidance
This skill appears coherent and limited in scope, but review these practical points before installing: (1) it runs git commands and prints repo root, commit summaries, and file paths — only use it on repositories you trust because commit messages or paths can include sensitive info; (2) the agent will need to interpret commit messages and touched files to decide what is 'user-facing' — ask for clarification when ambiguous; (3) there are no network calls or credential requests in the provided files, but if the skill is later modified to call external services, re-check for unexpected endpoints; (4) you can safely inspect or run scripts/collect_release_changes.sh locally to see exactly what it prints before giving the agent access.
Capability Analysis
Type: OpenClaw Skill
Name: toby-app-store-changelog
Version: 1.0.0
`, it's still just one string in the variable.
In Bash, if you don't quote it, it undergoes word splitting.
So `v1..v2 --output=file` becomes two arguments: `v1..v2` and `--output=file`.
This is exactly how argument injection works.
Okay, I'm done. `suspicious`.
Wait, I'll make the summary more concise.
"The skill bundle is classified as suspicious due to a lack of input sanitization in the `scripts/collect_release_changes.sh` script. The script uses unquoted variables when executing `git log` commands, which creates a vulnerability to argument injection. An attacker could potentially provide a malicious reference name containing flags like `--output` to overwrite sensitive files. Despite this flaw, the skill's overall design and instructions in `SKILL.md` and `references/release-notes-guidelines.md` are well-aligned with its stated purpose of generating App Store release notes."
Actually, the prompt says "1 short paragraph. Mention the 1–3 most important indicators and the specific file names involved."
Indicators:
1. Argument injection vulnerability (lack of sanitization).
2. Potential for unauthorized file writes via `git log --output`.
3. File: `scripts/collect_release_changes.sh`.
Final Summary:
The skill bundle is classified as suspicious due to a lack of input sanitization in `scripts/collect_release_changes.sh`. The script uses unquoted variables when constructing `git
Capability Assessment
Purpose & Capability
Name and description match the actual artifacts: SKILL.md and a small shell script that collect git commits and touched files. No extraneous env vars, binaries, or network endpoints are requested.
Instruction Scope
SKILL.md confines runtime actions to running the included script and summarizing its output. It does rely on agent judgment to triage user-impacting changes (which is appropriate) and may lead the agent to inspect repo content or commit messages — expected for this task but worth noting since repo data can contain sensitive paths/messages.
Install Mechanism
No install spec; this is instruction-only with a tiny included script. Nothing is downloaded or written to disk by an installer.
Credentials
The skill declares no environment variables, credentials, or config paths. The script uses only local git; no external secrets are requested.
Persistence & Privilege
always:false and no special privileges or persistent system changes. The skill does not alter other skills or system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install toby-app-store-changelog - After installation, invoke the skill by name or use
/toby-app-store-changelog - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the app-store-changelog skill:
- Generate user-facing App Store release notes from git history since the last tag.
- Collect, triage, and summarize only user-visible changes for accurate and concise updates.
- Organize changes by category (New, Improved, Fixed) and remove internal-only work.
- Provide clear, plain-language, benefit-focused bullet points for release notes.
- Includes a workflow guide and scripts to ensure easy and comprehensive changelog generation.
Metadata
Frequently Asked Questions
What is App Store Changelog?
Create user-facing App Store release notes by collecting and summarizing all user-impacting changes since the last git tag (or a specified ref). Use when ask... It is an AI Agent Skill for Claude Code / OpenClaw, with 97 downloads so far.
How do I install App Store Changelog?
Run "/install toby-app-store-changelog" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is App Store Changelog free?
Yes, App Store Changelog is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does App Store Changelog support?
App Store Changelog is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created App Store Changelog?
It is built and maintained by TobeyRebecca (@tobeyrebecca); the current version is v1.0.0.
More Skills