YZTurboWebAndroid
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only Android WebView SDK integration skill, but users should verify the third-party dependency and implement the JS bridge/WebView reuse patterns with strict scoping.
Before using this skill, confirm the SDK dependency comes from a trusted source, restrict JS Bridge handlers to trusted domains and minimal methods, and ensure reused WebViews or offline packages do not carry sensitive state across pages or users.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into an app without additional checks, untrusted or compromised web content loaded in the WebView could invoke native functionality or receive app data.
The skill documents a JS Bridge where web content can call native handlers and receive data; this is purpose-aligned, but the example does not show origin checks, method allow-listing, or authorization controls.
override fun method(): String = "getUserInfo" // 支持通配符如 "Life.*" ... val params = request.jsData() ... callback?.invoke(userInfo)
Only register bridge methods needed for trusted pages, validate the loaded URL/origin, avoid wildcard handlers for sensitive functions, validate JS parameters, and require app-side authorization before returning user data.
The Android project would execute code from an external package that is outside this skill's reviewed artifacts.
The skill instructs users to add an external SDK dependency. The version is pinned and this is expected for an SDK integration, but the dependency code is not included in the artifact set.
implementation 'com.youzan.turboweb:turbo-web:1.0.1'
Verify the Maven coordinates, publisher, repository source, checksums or signatures, and official documentation before adding the dependency to a production app.
A reused WebView or offline resource cache could expose stale state or unintended content if the app does not clean up between users, sessions, or pages.
The documented design reuses WebViews and prefers local offline resources. This is core to the performance/offline purpose, but it can preserve page state, cached data, or local content across page lifecycles.
WebView 预加载与复用 ... 离线包管理,拦截请求优先命中本地资源 ... WebViewLoader.release(webView)
Clear or isolate sensitive WebView state on release, validate and version offline packages, and avoid reusing WebViews across security boundaries such as different accounts or trust levels.