YZTurboWebAndroid
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: yzturbo-web-android Version: 1.0.0 The skill bundle provides documentation and integration examples for the YZTurboWebAndroid SDK, a high-performance WebView container. The content in SKILL.md consists of standard Kotlin and JavaScript code snippets for WebView management and JS Bridge communication, with no evidence of malicious intent, data exfiltration, or prompt injection. The referenced dependency 'com.youzan.turboweb:turbo-web' is consistent with legitimate libraries from the Youzan ecosystem.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into an app without additional checks, untrusted or compromised web content loaded in the WebView could invoke native functionality or receive app data.
The skill documents a JS Bridge where web content can call native handlers and receive data; this is purpose-aligned, but the example does not show origin checks, method allow-listing, or authorization controls.
override fun method(): String = "getUserInfo" // 支持通配符如 "Life.*" ... val params = request.jsData() ... callback?.invoke(userInfo)
Only register bridge methods needed for trusted pages, validate the loaded URL/origin, avoid wildcard handlers for sensitive functions, validate JS parameters, and require app-side authorization before returning user data.
The Android project would execute code from an external package that is outside this skill's reviewed artifacts.
The skill instructs users to add an external SDK dependency. The version is pinned and this is expected for an SDK integration, but the dependency code is not included in the artifact set.
implementation 'com.youzan.turboweb:turbo-web:1.0.1'
Verify the Maven coordinates, publisher, repository source, checksums or signatures, and official documentation before adding the dependency to a production app.
A reused WebView or offline resource cache could expose stale state or unintended content if the app does not clean up between users, sessions, or pages.
The documented design reuses WebViews and prefers local offline resources. This is core to the performance/offline purpose, but it can preserve page state, cached data, or local content across page lifecycles.
WebView 预加载与复用 ... 离线包管理,拦截请求优先命中本地资源 ... WebViewLoader.release(webView)
Clear or isolate sensitive WebView state on release, validate and version offline packages, and avoid reusing WebViews across security boundaries such as different accounts or trust levels.