Complete release closeout with notarization, publishing, verification, and final checks.
This is not a prompt-only skill in practice; the materials explicitly involve high-sensitivity release credentials, signing/notarization, and npm publishing steps, while relying on private secret locators and repo-specific rules. Although it is open-source on GitHub, adoption is minimal and maintenance is unknown, so the overall posture is mostly caution with extra attention to credentials and supply-chain aspects.
The materials explicitly involve Apple App Store Connect secrets (key_id, issuer_id, private_key_p8), Developer ID/keychain passwords, npm publish tokens, TOTPs, and 1Password/service-account references, all of which are highly sensitive. The README includes instructions not to print secrets, but using the skill in a real release workflow still creates risks of credential access, temporary file exposure, and misuse.
The description and README indicate interactions with npm, GitHub Releases, and Apple notarization services as part of the release workflow; this is normal egress for the stated purpose. No clear red flag shows data being sent to unrelated or unknown endpoints, but release artifacts and related metadata would be transmitted to third-party platforms.
The materials clearly include local command execution and use of system tools such as tmux, op, xcrun notarytool, security, codesign, and npm-related commands, indicating that the skill drives a local release command chain. This local execution capability matches the stated purpose, but it does imply the ability to modify the local environment and invoke system-level release tooling.
The README points to several local/private resources, including ~/Projects/Peekaboo, repo AGENTS.md, $release-private, .mac-release.env, temporary env files, keychain paths, and temporary npmrc files, showing that it reads and may briefly write sensitive local files. There is no explicit sign of broad data harvesting beyond the release workflow, but the access scope does include local repositories, configuration, and secret material.
A positive factor is that the repository is open-source on GitHub and therefore auditable. However, no license is declared, community adoption is 0 stars, maintenance status is unknown, and the materials depend on external skills/private rule files (such as $one-password, $browser-use, $release-private, and AGENTS.md), which reduces independent auditability. There is no concrete malicious red flag warranting a high-risk rating, but source maturity is limited.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "release-peekaboo" skill from askskill: 1. Download https://raw.githubusercontent.com/openclaw/Peekaboo/main/.agents/skills/release-peekaboo/SKILL.md 2. Save it as ~/.claude/skills/release-peekaboo/SKILL.md 3. Reload skills and tell me it's ready
Run the release-peekaboo workflow for the current version: complete notarization, publish the npm package and GitHub release, update the appcast, verify the release, and output a closeout checklist.
A complete release closeout report with step statuses, verification results, and follow-up items.
Check the release status for this version: confirm notarization passed, npm and GitHub releases are published, the appcast is updated, and list any missing steps.
A release verification report showing completed, failed, and missing items.
Based on the Peekaboo release process, generate a post-release closeout checklist covering notarization, publishing, appcast updates, verification, and final wrap-up notes.
A structured release closeout checklist for team confirmation and documentation.
Release ~/Projects/Peekaboo as the npm package @steipete/peekaboo plus signed/notarized macOS app assets.
Use $one-password, $browser-use, $npm, $autoreview, and repo AGENTS.md rules. Load $release-private if it exists before resolving Peter-owned credential locators. Read $npm before any npm auth, token, or publish recovery work. Keep all op secret work inside one persistent tmux session. Never print .p8, npm tokens, passwords, or OTPs.
$release-private.key_id, issuer_id, private_key_p8.xcrun notarytool submit fails with HTTP status code: 401. Unauthenticated.Sparkle key:
.mac-release.env has the current fallback.SPARKLE_PRIVATE_KEY_FILE for normal releases.Developer ID release keychain:
$release-private.codesign wants to use the release keychain, enter the keychain item password, not the Developer ID .p12 password..p12 while creating the keychain.security unlock-keychain and security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" so codesign can use the identity without GUI prompts.npm publish token:
$release-private.$npm rules. Run inside the same tmux session, write only a temp npmrc, delete it immediately, and use the npmjs TOTP item for web auth if npm prompts.Use the service account from $release-private first. Put the token in the tmux environment without printing it:
# Resolve SERVICE_ACCOUNT_TOKEN from $release-private first.
tmux -S "$SOCKET" set-environment -t "$SESSION" OP_SERVICE_ACCOUNT_TOKEN "$SERVICE_ACCOUNT_TOKEN"
Create a temp env file with service-account refs from $release-private:
APP_STORE_CONNECT_API_KEY_P8=<1Password ref from release-private>
APP_STORE_CONNECT_KEY_ID=<1Password ref from release-private>
APP_STORE_CONNECT_ISSUER_ID=<1Password ref from release-private>
Before a release, verify shape and Apple auth without printing values:
op run --env-file "$ENVFILE" -- bash -c '
set -euo pipefail
KEY_FILE="/tmp/AuthKey_${APP_STORE_CONNECT_KEY_ID}.p8"
printf "%s\n" "$APP_STORE_CONNECT_API_KEY_P8" > "$KEY_FILE"
chmod 600 "$KEY_FILE"
xcrun notarytool history \
--key "$KEY_FILE" \
--key-id "$APP_STORE_CONNECT_KEY_ID" \
--issuer "$APP_STORE_CONNECT_ISSUER_ID" \
--output-format json >/dev/null
rm -f "$KEY_FILE"
'
Peekaboo forces notarytool submit --no-s3-acceleration; the default S3 accelerated upload path can return a misleading 401 even when history auth succeeds.
If both history and non-S3 submit fail, suspect wrong access level or stale key. Browser route:
$browser-use real Chrome profile.https://appstoreconnect.apple.com/access/integrations/api.Peekaboo Release <version> with Admin access..p8 once from the key row.notarytool history; delete ~/Downloads/AuthKey_<key_id>.p8.main; pull ff-only if needed.package.jsonversion.jsonApps/CLI/Sources/Resources/version.json…
Capture macOS screenshots and analyze interface content with visual question answering.
Fetch GitHub issues, create fixes, open PRs, and handle reviews.
Convert text to speech locally and offline with sherpa-onnx, no cloud needed.
Verify an OpenClaw release is fully published and working across all channels.
Create and review technical docs and agent instruction files in repositories.
Navigate Feishu knowledge bases and surface relevant wiki pages and links.
Capture and automate macOS UI actions with Peekaboo CLI for scripting and testing.
Run or recover OpenClaw macOS signing, notarization, and release promotion.
Draft OpenClaw release announcements and testing guidance from release evidence.
Identify the right configuration label for a release brief.
Expose local browser session recordings to AI agents for debugging and analysis.
Prepare and verify OpenClaw stable or beta releases and release notes.