v1.0.0

pagesskill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:25 AM.

Analysis

This instruction-only skill matches its NocoBase page-building purpose, but it can guide an agent to overwrite, clean, or remove persistent app pages and add custom JavaScript without clear approval or rollback guardrails.

GuidanceBefore installing, decide whether you are comfortable letting an agent modify your NocoBase app structure. Prefer using it in staging first, require confirmation for destructive or full-replace actions, keep backups, and manually review any generated JavaScript or event-flow changes before publishing.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

The `flowModels:update` API does a **full replace**... `nb_page_layout("tab_uid")` ... `This cleans existing content`; tools include `nb_delete_route`, `nb_remove_field`, and `nb_remove_column`.

The documented workflow and tool list can replace, clean, delete, or remove NocoBase page structures. This is related to the stated purpose, but the artifacts do not show approval, backup, staging, or rollback controls before destructive or persistent changes.

User impactAn agent using this skill could overwrite or remove menus, pages, routes, fields, or columns in a NocoBase app, potentially disrupting users if the wrong target is selected.

RecommendationUse this only with explicit target page IDs, previews or diffs, backups/exports, and human confirmation for full replacements, cleaning, delete, remove, or patch operations.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

description: Guide AI to build NocoBase pages — menus, tables, forms, popups, KPIs, JS blocks... tools: `nb_js_block`, `nb_js_column`; `JSBlockModel (custom JS content)`.

The skill explicitly supports adding custom JavaScript blocks and columns. This is disclosed and purpose-aligned, but JavaScript inserted into application pages may execute for users and should be reviewed.

User impactCustom JavaScript could change page behavior or expose users to unsafe scripts if generated or reviewed poorly.

RecommendationReview any generated JavaScript before publishing it, avoid secrets in JS blocks, and test in a non-production NocoBase environment first.