Back to skill
Skillv2.0.6
ClawScan security
FOSMVVM SwiftUI App Setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 14, 2026, 5:30 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (generating a SwiftUI @main App with FOSMVVM wiring); it asks for no secrets, installs nothing, and contains only template guidance for Darwin/macOS projects.
- Guidance
- This skill appears coherent and focused on generating SwiftUI App templates for FOSMVVM. Before using it: (1) verify you replace all placeholders (AppName, ResourceBundle names, {ProductionURL}/{DebugURL}) and do not accidentally hard-code sensitive endpoints or credentials; (2) confirm you trust the referenced FOSMVVM / FOSFoundation dependencies (review their source/license at the provided GitHub homepage); (3) understand the templates read Bundle.main/Info.plist and ProcessInfo.arguments for deployment/test detection (this is normal), so ensure your CI sets FOS-DEPLOYMENT as intended; (4) note the skill is macOS/Darwin‑only; and (5) always review the generated code before committing (the skill only provides templates and will not itself install or transmit secrets).
Review Dimensions
- Purpose & Capability
- okThe name/description (generate App struct, MVVMEnvironment, deployment URLs, test infra) align with the templates in SKILL.md and reference.md. The skill requests no unrelated credentials, binaries, or config paths.
- Instruction Scope
- okRuntime instructions and templates only describe generating Swift source (App struct, environment injection, DEBUG test helpers). The only runtime observations mentioned are standard: reading Bundle.main/Info.plist for deployment selection and ProcessInfo.arguments for test detection. There are no instructions to read arbitrary host files, exfiltrate data, or call external endpoints beyond configuring serverBaseURL placeholders.
- Install Mechanism
- okThis is instruction-only with no install spec and no downloads; nothing is written to disk by an installer step in the skill itself. Risk from install mechanism is minimal.
- Credentials
- okThe skill declares no required environment variables or credentials. It documents common CI/Info.plist usage (FOS-DEPLOYMENT) which is proportional to deployment configuration and not a secret. There are no requests for unrelated tokens or secrets.
- Persistence & Privilege
- okalways is false and agent autonomous invocation is allowed (default) — appropriate for a user-invoked code-generation skill. The skill does not request persistent system privileges or to modify other skills' configurations.