Back to skill
Skillv0.1.4
ClawScan security
Flutter AppStore Doc UI Kit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 7:32 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (generating App Store docs, UI prompts/images, and an icon) but has a few minor inconsistencies and privacy considerations you should be aware of before using it.
- Guidance
- This skill appears to do what it says: produce a v1 App Store spec, Apple-style UI images, and a square-corner icon. Before installing/using: 1) Be aware that if you use Option A (AI image generation) the approved doc text will be sent to api.openai.com using the OPENAI_API_KEY — review docs for any PII or proprietary content you don't want transmitted. 2) The skill metadata does not declare OPENAI_API_KEY even though the script uses it; supplying the key is optional and only needed for automated image generation. 3) If you prefer not to send content to a third-party model, use the provided prompt package (Option B) and generate images locally or via a service you control. 4) The included Python scripts run locally and generate files in the specified output folder; inspect the generated docs before sending them anywhere. If you want higher assurance, request that the publisher add OPENAI_API_KEY to the skill metadata (as an optional env) and document exactly what fields of the doc are sent to the external API.
Review Dimensions
- Purpose & Capability
- okThe name/description match the included assets and scripts: generate_appstore_pack.py produces the localized Markdown spec, SVG page mockups and a programmatic PNG/SVG icon; generate_ui_ai.py sends approved docs to an image-generation API to produce PNG UI images. The skill's declared goal (specs + Apple-style UI imagery + icon) aligns with the code and instructions.
- Instruction Scope
- noteRuntime instructions are gated and explicit (three approval gates: docs → UI → icon). The only network I/O is in scripts/generate_ui_ai.py which POSTs prompts (constructed from the approved doc text) to the OpenAI images endpoint; that means any content in the docs will be transmitted to the external image model when Option A is used. The SKILL.md instructs non-network fallback (a prompt package) if no model access exists, which keeps the process local/user-controlled in that case.
- Install Mechanism
- okThere is no install spec; this is instruction + local Python scripts. No remote downloads, no archive extraction, and generated files are written only to the user-specified output directory. This is low-risk from an install perspective.
- Credentials
- concernMetadata declares no required environment variables, but generate_ui_ai.py reads OPENAI_API_KEY from the environment (and SKILL.md references providing an API key for Option A). That mismatch is a transparency concern — the env var is used only for optional AI-assisted image generation, but it is not listed in the skill's required env metadata. No other unrelated secrets are requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or global agent configuration, and only writes artifacts to the user-specified output path. It does not request system-wide privileges or credentials beyond the optional API key for image generation.