Web Builder
v1.0.0Build full-stack applications after collecting project requirements. Use when user says Neo App Mode, asks to build/create/scaffold a new app, or wants React...
⭐ 0· 295·0 current·0 all-time
byCHINMAYA GARNAIK@chinmayagit
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Neo App Mode / build full-stack apps) match the included assets: SKILL.md collects requirements and the shell script scaffolds a frontend and backend with the described stack and structure. The requested files and generated package.json values are proportionate to a scaffolding task.
Instruction Scope
Instructions direct the agent to run a local shell script to create project files and to collect requirements first — appropriate. Minor problems: SKILL.md calls the script at 'skills/neo-app-mode/scripts/scaffold_neo_app.sh' but the provided script path in the package is 'scripts/scaffold_neo_app.sh' (path mismatch). Also the generated .env.example contains a weak default JWT_SECRET ('change_me') which is a security/usability note for users of the scaffolded app.
Install Mechanism
No install spec; this is an instruction-only skill that includes a local scaffolding script. Nothing is downloaded or written outside the scaffold target directory by the script itself.
Credentials
The skill does not require environment variables or credentials to run. The generated application relies on runtime env vars (MONGODB_URI, JWT_SECRET) and includes .env.example with defaults — those are expected for a scaffold but you should replace defaults (notably JWT_SECRET) before deploying.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges. The script writes files only under the specified apps/<name> path; it does not modify other skills or system configuration.
Assessment
This skill appears to do what it says: it scaffolds a local React + Node + Mongo app. Before running: 1) confirm the correct script path in your environment (SKILL.md path differs from the package path), 2) run the script from a safe working directory to avoid overwriting important files (it creates apps/<project-name> by default), 3) review and replace insecure defaults in the generated .env (especially JWT_SECRET and DB URI) before running the app in production, and 4) inspect the generated package.json and code if you need custom dependencies or stricter security (input validation, rate-limiting, CORS policies). If you want extra assurance, open the script and a few generated files locally and run them in an isolated environment or container first.Like a lobster shell, security has layers — review code before you run it.
latest
CHINMAYA GARNAIK@chinmayagit
DownloadNeo App Mode
Collect requirements first, then scaffold a production-ready starter.
Requirement intake (ask before scaffolding)
Ask these in one compact checklist:
- Project name
- App type and core modules (auth, dashboard, CRUD entities)
- User roles (admin/user/etc.)
- Required pages and API endpoints
- MongoDB connection preference (local/Atlas)
- Auth method (JWT/session/OAuth)
- Extra features (file upload, charts, payments, notifications)
If user is unsure, use defaults from references/default-requirements.md.
Generate app scaffold
Run:
bash skills/neo-app-mode/scripts/scaffold_neo_app.sh \
--name <project-name> \
--path apps \
--with-auth jwt
Output structure:
frontend/→ React + Vite + Tailwindbackend/→ Express + MongoDB + MVC.env.examplefiles for frontend/backend- starter README with run steps
Behavior rules
- Always confirm requirements summary before code generation.
- Use clean MVC in backend:
models/,controllers/,routes/,middlewares/,config/. - Add at least one sample entity module with full CRUD.
- Add health route and API prefix
/api/v1. - Keep generated code minimal, readable, and extendable.
Comments
Loading comments...