← 返回 Skills 市场

AppStore Rating Pulse

Name: AppStore Rating Pulse
Author: aligurelli

作者 kokoko · GitHub ↗ · v1.1.0

cross-platform ⚠ suspicious

782

总下载

当前安装

版本数

在 OpenClaw 中安装

/install appstore-rating-pulse

功能描述

Monitor App Store ratings for any iOS app across multiple countries. Fetches live overall ratings using Apple's free iTunes Lookup API — no API key needed. S...

使用说明 (SKILL.md)

AppStore Rating Pulse

Fetches current overall App Store ratings for iOS apps across any country using Apple's free iTunes Lookup API — no API key or paid subscription needed.

Setup

Edit scripts/fetch-ratings.sh with your apps and regions:

# Apps: "App Name" "AppStoreID" "CC1,CC2,CC3"
APPS=(
  "My App|1234567890|US,GB,DE"
  "Another App|9876543210|US,JP,KR"
)

Country codes follow ISO 3166-1 alpha-2 (US, GB, JP, KR, DE, FR, RU, ES, CA, AU, etc.).

Run Manually

bash /path/to/skills/public/appstore-rating-pulse/scripts/fetch-ratings.sh

Output Format

overall rating for My App(1234567890) 19.02.2026 - 4,72 - USA
overall rating for My App(1234567890) 19.02.2026 - 4,10 - UK
overall rating for My App(1234567890) 19.02.2026 - N/A - GERMANY

Ratings use comma as decimal separator. N/A means the app has no ratings in that country yet.

Daily Cron Setup

Create an isolated cron job (sessionTarget: isolated) that runs the script and delivers the output via announce:

Run bash /path/to/scripts/fetch-ratings.sh and send the output to the user as-is. If all lines show N/A or the script errors, warn that something may be wrong.

Schedule example: 0 12 * * * (daily at noon, your timezone).

Customization

Add/remove apps by editing the APPS array in fetch-ratings.sh
Add/remove countries per app by editing the comma-separated country code list
Country name display is handled automatically (common countries are mapped; others display as the raw code)

安全使用建议

This skill appears to be what it claims: a small script that hits Apple's iTunes Lookup API and prints formatted ratings. Before installing, verify the runtime environment has bash, curl and python3 available (the metadata currently omits those dependencies). Run the script manually first to confirm output and that network access is acceptable. If you enable a cron job or allow autonomous agent runs, place the job in an isolated session as suggested and ensure no sensitive environment variables are exposed to that session. No API keys or credentials are requested by this skill.

功能分析

Type: OpenClaw Skill Name: appstore-rating-pulse Version: 1.1.0 The `scripts/fetch-ratings.sh` file contains a shell injection vulnerability. User-configured values for `appId` and `region` from the `APPS` array are directly interpolated into the `curl` command's URL string without proper shell escaping. This allows for arbitrary command execution if a user (or an attacker who modifies the user's configuration) includes shell metacharacters in these variables. While this is a significant vulnerability, it requires user-supplied malicious input into their own configuration, and there is no evidence of intentional malicious behavior (e.g., data exfiltration, backdoor installation) by the skill developer. The `SKILL.md` instructions for the AI agent are benign and do not exhibit prompt injection with malicious objectives.

能力评估

ℹ Purpose & Capability

The skill's name, description, SKILL.md, and included script are consistent: they fetch App Store ratings via Apple's iTunes Lookup API. However, the package metadata claims no required binaries while the script actually depends on bash (obvious), curl and python3 at runtime. This is a minor incoherence in declared requirements (they are needed and reasonable for the stated purpose).

✓ Instruction Scope

SKILL.md instructs the agent to edit and run the provided script and optionally schedule a cron job. The instructions stay on-task (fetching ratings, formatting output). The script only performs network calls to itunes.apple.com and does not read arbitrary files or environment variables beyond an optional TZ for date display. The cron guidance suggests running in an isolated session and announcing output; that's a reasonable deliver mechanism but is an operational choice, not hidden behavior.

✓ Install Mechanism

No install spec is provided and the skill is instruction-only with a small script—this is the lowest-risk model. Nothing is downloaded or installed by the skill itself.

✓ Credentials

The skill requests no credentials or config paths. The script uses TZ optionally for date formatting but otherwise does not read or transmit secrets. The absence of required env vars is coherent with the described functionality.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated privileges or modify other skills or system-wide settings. It recommends (but does not implement) a user-controlled cron job; installing such a cron job would be a user decision.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install appstore-rating-pulse
安装完成后，直接呼叫该 Skill 的名称或使用 /appstore-rating-pulse 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

Shortened description for better display on ClawHub.

v1.0.0

Initial release: track live App Store ratings across any country using Apple's free iTunes Lookup API. No API key needed.

元数据

Slug appstore-rating-pulse

版本 1.1.0

许可证 —

累计安装 2

当前安装数 1

历史版本数 2

常见问题