itsyconnect-macos

Name: itsyconnect-macos
Author: nickustinov

by nickustinov

Issues

Better App Store Connect

100stars

7forks

TypeScript

Added 6/3/2026

View on GitHub Download ZIP Scan for vulnerabilities

MCP Serversappstoreconnectasc-apidocker-containerelectronios

Installation

# Add to your Claude Code skills
git clone https://github.com/nickustinov/itsyconnect-macos

Getting Started

Guides for using mcp servers skills like itsyconnect-macos.

Best MCP Servers in 2026
Category-by-category picks: databases, dev tools, productivity, browser automation.
What is an AI Skills Marketplace?
Definitions, how marketplaces work, and how to choose between them in 2026.
Getting Started with AI Skills
First-time install walkthrough for Claude Code, Codex CLI, and ChatGPT.

Security ReportIssues

Last scanned: 6/3/2026

{
  "issues": [
    {
      "type": "npm-audit",
      "message": "@electron-forge/cli: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/core: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/core-utils: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/maker-base: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/maker-dmg: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/maker-pkg: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/maker-zip: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/plugin-base: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/publisher-base: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/shared-types: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/template-base: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/template-vite: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/template-vite-typescript: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/template-webpack: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron-forge/template-webpack-typescript: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron/node-gyp: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@electron/rebuild: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@esbuild-kit/core-utils: Vulnerability found",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "@esbuild-kit/esm-loader: Vulnerability found",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "@hono/node-server: @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "@inquirer/editor: Vulnerability found",
      "severity": "low"
    },
    {
      "type": "npm-audit",
      "message": "@inquirer/prompts: Vulnerability found",
      "severity": "low"
    },
    {
      "type": "npm-audit",
      "message": "@protobufjs/utf8: protobufjs has overlong UTF-8 decoding",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "@tootallnate/once: @tootallnate/once vulnerable to Incorrect Control Flow Scoping",
      "severity": "low"
    },
    {
      "type": "npm-audit",
      "message": "@vitest/coverage-v8: Vulnerability found",
      "severity": "critical"
    },
    {
      "type": "npm-audit",
      "message": "@xmldom/xmldom: xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "cacache: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "drizzle-kit: Vulnerability found",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "drizzle-orm: Drizzle ORM has SQL injection via improperly escaped SQL identifiers",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "electron: Electron: AppleScript injection in app.moveToApplicationsFolder on macOS",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "esbuild: esbuild enables any website to send any requests to the development server and read the response",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "express-rate-limit: express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "external-editor: Vulnerability found",
      "severity": "low"
    },
    {
      "type": "npm-audit",
      "message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "hono: Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "make-fetch-happen: Vulnerability found",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "next: Next.js: HTTP request smuggling in rewrites",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "protobufjs: Arbitrary code execution in protobufjs",
      "severity": "critical"
    },
    {
      "type": "npm-audit",
      "message": "qs: qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "serialize-javascript: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "terser-webpack-plugin: Vulnerability found",
      "severity": "medium"
    },
    {
      "type": "npm-audit",
      "message": "tmp: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
      "severity": "high"
    },
    {
      "type": "npm-audit",
      "message": "vitest: When Vitest UI server is listening, arbitrary file can be read and executed",
      "severity": "critical"
    },
    {
      "type": "npm-audit",
      "message": "ws: ws: Uninitialized memory disclosure",
      "severity": "medium"
    }
  ],
  "status": "FAILED",
  "scannedAt": "2026-06-03T08:55:54.253Z",
  "npmAuditRan": true,
  "pipAuditRan": true
}

README.md

MCP for Beginners

Build MCP servers that give AI assistants real capabilities

36 minBeginner

Comments (0)

to leave a comment.

No comments yet. Be the first to share your thoughts!

Related Skills

n8n

by n8n-io

Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.

190,857

cve-search_mcp openfoam-mcp-server

A desktop app and self-hosted web dashboard that replaces Apple's App Store Connect. Edit metadata across all locales at once, manage TestFlight builds and testers, review analytics, respond to customer reviews, and submit nominations – all from a single desktop window. AI translates your descriptions, keywords, review replies, and even screenshots into every language with one click.

Everything runs locally. One SQLite database, no cloud, no accounts, no telemetry. Credentials are encrypted with AES-256-GCM and the master key lives in the macOS Keychain.

Features

Release management – edit descriptions, keywords, what's new, promotional text, names, and subtitles for every locale. Pick builds, choose release method (manual, automatic, or scheduled), toggle phased rollout. Save everything in one click.

AI-powered localisation – translate any field or all fields to one locale or every locale simultaneously. Generate optimised keywords. Draft professional review replies. Translate foreign reviews. Generate appeal text for unfair ratings. Bring your own API key from Anthropic, OpenAI, Google, xAI, Mistral, or DeepSeek.

TestFlight – manage builds, beta groups, and testers in one interface. Add or remove builds from groups in bulk. Track installs, sessions, and crashes per build. Review tester feedback with device details and screenshots. Mark feedback as done.

Analytics – impressions, downloads, proceeds, first-time downloads, sessions, crashes, and conversion funnel. Compare periods, break down by territory, track version adoption. Acquisition sources, usage patterns, and crash reports across separate tabs.

Keyword optimisation – track keyword character budgets per locale and storefront. Detect duplicates between name, subtitle, and keyword fields within a locale and across locales. One-click fix suggestions help maximise coverage and ranking across every market.

Customer reviews – filter by rating, territory, or response status. Translate foreign-language reviews with one click. Draft replies with AI, automatically matching the reviewer's language. Edit and delete existing responses.

Screenshots – upload, reorder with drag-and-drop, preview in lightbox, and delete screenshots across all device categories (iPhone, iPad, Mac, Apple TV, Apple Watch, Apple Vision) and locales. Translate screenshots to any locale using Gemini 3 Pro Image – the AI translates marketing text while preserving fonts and layout. Copy base locale screenshots to other locales without translation. Locale picker shows which locales have screenshots at a glance.

Nominations – browse, edit, and submit App Store nominations. AI-powered fill generates nomination answers from your app metadata with one click.

Dark mode – full light and dark theme support, follows your system appearance or can be set manually.

Self-hosted Docker – run Itsyconnect as a web app on your local network or server. One command to start, auto-generated encryption key, persistent SQLite volume. See self-hosting with Docker.

Diff mode – opt-in setting that accumulates store listing, app details, app review, and keyword changes locally instead of saving to App Store Connect immediately. Review a full before/after diff across all sections and locales, discard individual fields, then push everything in one go.

MCP server – optional Model Context Protocol server lets AI coding tools (Claude Code, Codex, Cursor, OpenCode) manage your app listings directly. Update release notes, translate fields, add locales – all from your terminal. Respects diff mode when enabled. See docs/MCP.md.

Privacy and security – local-first architecture. All data stays on your Mac in a single SQLite file. Credentials encrypted with AES-256-GCM envelope encryption, master key stored in the macOS Keychain. No cloud, no accounts, no telemetry.

Free and open source

Itsyconnect is completely free, with no limits – manage as many apps and developer accounts as you like. Every feature is available to everyone, on both direct downloads and the Mac App Store. Licensed under AGPL-3.0.

Download

Most people just want the app. Download the latest release, open the DMG, and drag Itsyconnect into your Applications folder:

⬇ Download Itsyconnect – macOS 11 or later

The build is signed and notarized by Apple, so it opens without Gatekeeper warnings, and updates itself automatically from then on. On first launch the setup wizard guides you through connecting your App Store Connect credentials. Older builds are on the releases page.

Build from source

Prefer to compile and run it yourself? Clone the repo and start the dev build:

git clone https://github.com/nickustinov/itsyconnect-macos.git
cd itsyconnect-macos
npm install
npm run electron:dev

The setup wizard will guide you through connecting your App Store Connect credentials. See Development below for building your own signed DMG.

Self-hosting with Docker

Run Itsyconnect as a web app on your local network or server.

docker run -d -p 3000:3000 -v itsyconnect-data:/app/data ghcr.io/nickustinov/itsyconnect:latest

Or with docker compose:

docker compose up -d

The app will be available at http://localhost:3000. A master encryption key is auto-generated and saved to the data volume on first run.

Reverse proxy with authentication

The Docker container has no built-in authentication. If you expose it beyond your local machine, put it behind a reverse proxy with basic auth.

Caddy (recommended – automatic HTTPS):

itsyconnect.example.com {
    basicauth {
        admin $2a$14$... # caddy hash-password
    }
    reverse_proxy localhost:3000
}

Generate a password hash with caddy hash-password, then paste it into the Caddyfile.

Nginx:

server {
    listen 443 ssl;
    server_name itsyconnect.example.com;

    auth_basic "Itsyconnect";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Generate credentials with htpasswd -c /etc/nginx/.htpasswd admin.

Tailscale – if you just want access from your own devices without exposing anything to the public internet, put the machine on your tailnet and access it via the Tailscale IP. No auth config needed.

Data persistence

All data (SQLite database, master key) is stored in the /app/data volume. Back up this directory to preserve your configuration and cached analytics.

Development

npm run electron:dev          # Launch Electron with hot reload
npm run electron:make:dmg     # Build signed DMG (direct distribution)
npm run electron:make:mas     # Build for Mac App Store (MAS=1)
npm run test                  # Run tests
npm run test:watch            # Watch mode
npm run test:coverage         # Coverage report
npm run db:generate           # Generate Drizzle migration
npm run db:studio             # Drizzle Studio
npm run lint                  # ESLint

MAS builds

The MAS=1 environment variable produces a sandboxed Mac App Store build. In MAS mode the in-app auto-updater is disabled (updates go through the App Store) and the local MCP server is hidden (sandbox restrictions). It is set automatically by the electron:make:mas script.

To test MAS mode during development:

MAS=1 npm run electron:dev

Build flags

| Flag | Purpose | |---|---| | MAS=1 | Sandboxed Mac App Store build: disable auto-updater, hide the MCP server, use MAS entitlements. Set automatically by electron:make:mas. | | MAS_DEV=1 | Sign with Apple Development cert + dev provisioning profile (for local testing). Without this, the build uses the 3rd Party Mac Developer Application cert + distribution profile (for App Store submission). |

Provisioning profiles

Two provisioning profiles are needed in the project root (both gitignored):

| File | Type | When to use | |---|---|---| | provisioning.dev.provisionprofile | macOS App D