← 返回 Skills 市场
864
总下载
3
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install app-store
功能描述
Publish and manage iOS and Android apps with account setup, submission workflows, review compliance, and rejection handling.
使用说明 (SKILL.md)
Scope
App Store Connect (iOS) and Google Play Console (Android). Covers the full publishing lifecycle from account creation to updates. For keyword optimization, see app-store-optimization skill.
Account Setup
| Platform | Cost | Time | Key Steps |
|---|---|---|---|
| Apple Developer Program | $99/year | 1-7 days | Enroll → D-U-N-S (orgs) → Payment → Agreements |
| Google Play Console | $25 once | Minutes-48h | Register → Identity verification → Payment profile |
Apple gotchas:
- D-U-N-S number required for organizations (free, takes 1-2 weeks)
- Legal entity name must match D-U-N-S exactly
- Agreements (Paid Apps, Apple Pay) must be accepted before features work
Google gotchas:
- Identity verification can take 48h+ for new accounts
- Closed testing track required before production (20+ testers, 14+ days for new apps since 2023)
iOS Signing (The Hard Part)
| Asset | What It Is | Where Created | Expires |
|---|---|---|---|
| Distribution Certificate | Your signing identity | Keychain → App Store Connect | 1 year |
| Provisioning Profile | Links cert + app ID + devices | App Store Connect | 1 year |
| App ID | Unique identifier (bundle ID) | App Store Connect | Never |
When Xcode says "No signing identity":
- Check certificate exists in Keychain Access (login keychain)
- Check provisioning profile includes that certificate
- Check bundle ID in Xcode matches App ID exactly
- Revoke and recreate if nothing else works
Automatic vs Manual Signing:
- Automatic: Xcode manages everything (fine for solo devs)
- Manual: Required for CI/CD, teams, or multiple apps
- Never mix — pick one approach per project
Submission Checklist
Pre-submit verification (both platforms):
- Privacy policy URL live and accessible
- All required permissions have usage descriptions
- App works without network (or handles offline gracefully)
- No placeholder content, "lorem ipsum", or test data
- Screenshots match actual app UI (no misleading marketing)
- Contact support email valid and monitored
iOS-specific:
- Export Compliance (ITSAppUsesNonExemptEncryption in Info.plist)
- App Tracking Transparency if using IDFA
- Privacy manifest (PrivacyInfo.xcprivacy) for required APIs
Android-specific:
- Target SDK meets current requirement (currently API 34)
- Data safety form completed
- Content rating questionnaire filled
- 20+ testers on closed track for 14+ days (new apps)
Common Rejections
| Code | Meaning | Fix |
|---|---|---|
| 4.2 (iOS) | Minimum functionality | Add features, or argue value proposition in appeal |
| 4.3 (iOS) | Spam/duplicate | Differentiate significantly from your other apps |
| 5.1.1 (iOS) | Data collection | Implement App Tracking Transparency, update privacy manifest |
| 2.1 (iOS) | Crashes/bugs | Test on real devices, check Crashlytics |
| Deceptive behavior (Android) | Misleading metadata | Match screenshots to real functionality |
| Broken functionality (Android) | App doesn't work as described | Full QA on production build |
Appeal strategy:
- Read rejection reason carefully (don't assume)
- If misunderstanding: Explain with screenshots, video if needed
- If valid: Fix issue, note what changed in resolution notes
- Never resubmit identical binary hoping for different reviewer
Review Timeline
| Platform | Typical | Expedited | Slower Periods |
|---|---|---|---|
| Apple | 24-48h | Request via App Review form | New iOS launches, holidays |
| 2-6h | N/A | Initial submissions, policy violations |
Apple expedited review: Only for critical bugs, time-sensitive events. Overuse = ignored.
Monetization Setup
In-app purchases (IAP):
- Create products in App Store Connect / Play Console
- Implement StoreKit (iOS) / BillingClient (Android)
- Set up server-side receipt validation (don't trust client)
- Handle sandbox vs production environments
Subscriptions:
- Configure introductory offers, free trials, grace periods
- Implement subscription lifecycle: renewal, cancellation, billing retry
- Server notifications endpoint for real-time status updates
- Test with sandbox accounts (both platforms have quirks)
Revenue splits: Apple/Google take 15-30% (15% for Small Business Program or after year 1 of subscription).
Multi-App Management
Organization structure:
- Apple: One enrollment, multiple apps, team roles per app
- Google: One developer account, multiple apps, user permissions
Team roles (critical):
- Separate "submit builds" from "release to production"
- Marketing should access metadata only
- Finance sees revenue, not code
Cross-platform releases:
- Submit iOS first (longer review)
- Hold Android release until iOS approved
- Use phased rollout to catch issues early
When to Load More
| Situation | Reference |
|---|---|
| Keyword optimization, A/B testing | app-store-optimization skill |
| Generating release notes from git | app-store-changelog skill |
| TestFlight/internal testing setup | testing.md |
| CI/CD automation (fastlane, APIs) | automation.md |
安全使用建议
This appears to be a legitimate publishing guide, but there are important mismatches you should consider before installing or using it: (1) The SKILL.md expects Apple .p8 keys, Issuer/Key IDs, and a Google service-account JSON plus tools like fastlane/gradle/generate_jwt, yet the skill metadata lists no required credentials or binaries — treat that as a warning sign. (2) Do not upload or paste your key.p8 or service-account.json into untrusted places; only store them in encrypted CI secrets or secure vaults. (3) If an agent implements these instructions, ensure it will not read local key files or environment variables unless you explicitly provide them and trust the skill source. (4) Verify the skill author/source before giving any credentials; prefer generating keys and granting least privilege (service account scopes) and using official tooling and documented CI secret storage. If you proceed, plan to supply credentials only in secure CI/secret storage and double-check any automation that might push signing material to git.
功能分析
Type: OpenClaw Skill
Name: app-store
Version: 1.0.0
The `automation.md` file contains direct shell commands (`curl`) and Python code snippets intended for CI/CD automation. These instructions demonstrate how to authenticate and interact with Apple App Store Connect and Google Play Developer APIs using sensitive credentials (e.g., `.p8` private keys, `service-account.json`). While the described operations are legitimate for app publishing, the presence of executable commands that require access to local sensitive files creates a significant vulnerability. If an AI agent were to execute these instructions without proper sandboxing or strict user consent for credential access, it could lead to unauthorized API calls or actions on external platforms, classifying it as suspicious due to the potential for abuse, even without explicit malicious intent.
能力评估
Purpose & Capability
The name/description match the SKILL.md content (App Store Connect and Google Play workflows). However, the skill metadata declares no required env vars, binaries, or config paths while the instructions explicitly rely on App Store Connect .p8 keys (Issuer ID, Key ID, key.p8), Google service-account JSON, fastlane, Xcode/Gradle, and a generate_jwt tool. A legit publishing workflow would require those credentials/tools; their absence from the declared requirements is an incoherence.
Instruction Scope
SKILL.md contains step-by-step instructions that reference reading local credential files (key.p8, service-account.json) and environment variables ($ISSUER_ID, $KEY_ID) and running tooling (fastlane, generate_jwt, gradle) even though none are declared. It also discusses storing signing material with fastlane match (which can encourage insecure practices if done incorrectly). The instructions therefore assume access to sensitive secrets and system tooling beyond what the skill metadata advertises.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code or downloads, which is lower risk. There are no remote install URLs or extracted archives. That said, the instructions instruct use of external tools (fastlane, gradle, Xcode, generate_jwt) but do not provide an install mechanism for them.
Credentials
The guidance clearly requires sensitive artifacts (Apple .p8 + Issuer/Key IDs; Google service-account JSON) and CI secrets, but the skill declares no required environment variables or config paths. This mismatch means a user (or an agent) following the skill might be prompted to provide high-value credentials without the registry metadata signalling that need. The guidance also mentions storing certs in git or cloud storage (fastlane match) — which is potentially risky unless properly encrypted and controlled.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only. It does not request persistent system presence or modification of other skills. Autonomous invocation is allowed (platform default), but there is no evidence the skill self-installs or persists credentials on its own.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install app-store - 安装完成后,直接呼叫该 Skill 的名称或使用
/app-store触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
App Store 是什么?
Publish and manage iOS and Android apps with account setup, submission workflows, review compliance, and rejection handling. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 864 次。
如何安装 App Store?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install app-store」即可一键安装,无需额外配置。
App Store 是免费的吗?
是的,App Store 完全免费(开源免费),可自由下载、安装和使用。
App Store 支持哪些平台?
App Store 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 App Store?
由 Iván(@ivangdavila)开发并维护,当前版本 v1.0.0。
推荐 Skills