ClawHub

Web Builder

v1.0.0

Build full-stack applications after collecting project requirements. Use when user says Neo App Mode, asks to build/create/scaffold a new app, or wants React...

0· 259·0 current·0 all-time
byCHINMAYA GARNAIK@chinmayagit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Neo App Mode / build full-stack apps) match the included assets: SKILL.md collects requirements and the shell script scaffolds a frontend and backend with the described stack and structure. The requested files and generated package.json values are proportionate to a scaffolding task.
Instruction Scope
Instructions direct the agent to run a local shell script to create project files and to collect requirements first — appropriate. Minor problems: SKILL.md calls the script at 'skills/neo-app-mode/scripts/scaffold_neo_app.sh' but the provided script path in the package is 'scripts/scaffold_neo_app.sh' (path mismatch). Also the generated .env.example contains a weak default JWT_SECRET ('change_me') which is a security/usability note for users of the scaffolded app.
Install Mechanism
No install spec; this is an instruction-only skill that includes a local scaffolding script. Nothing is downloaded or written outside the scaffold target directory by the script itself.
Credentials
The skill does not require environment variables or credentials to run. The generated application relies on runtime env vars (MONGODB_URI, JWT_SECRET) and includes .env.example with defaults — those are expected for a scaffold but you should replace defaults (notably JWT_SECRET) before deploying.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges. The script writes files only under the specified apps/<name> path; it does not modify other skills or system configuration.
Assessment
This skill appears to do what it says: it scaffolds a local React + Node + Mongo app. Before running: 1) confirm the correct script path in your environment (SKILL.md path differs from the package path), 2) run the script from a safe working directory to avoid overwriting important files (it creates apps/<project-name> by default), 3) review and replace insecure defaults in the generated .env (especially JWT_SECRET and DB URI) before running the app in production, and 4) inspect the generated package.json and code if you need custom dependencies or stricter security (input validation, rate-limiting, CORS policies). If you want extra assurance, open the script and a few generated files locally and run them in an isolated environment or container first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xqxjc2y5s14ecv4pnrqew982ac9h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments