uniapp-expert
v1.0.0uni-app 跨平台开发专家技能,涵盖 Vue2/Vue3 开发、Vue2→Vue3 迁移实战、微信小程序自动化测试。融合真实项目踩坑经验,提供从开发到测试的完整解决方案。
⭐ 0· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims uni-app/Vue expertise and mini program automation testing and includes Vue guidance files plus a focused weapp-automated-testing python package. The Python scripts and Node.js automation snippets all relate to controlling WeChat DevTools, reading console logs, taking screenshots, and running test scenarios — which is consistent with the description.
Instruction Scope
Runtime instructions and code generate temporary JavaScript files and invoke 'node' to connect to a local WebSocket (default ws://localhost:9420) and the local WeChat DevTools CLI. The code also searches common DevTools log directories under the user's home to locate .log files. These actions are within the expected scope for automation and log collection, but they do access user-local files and run generated scripts — review if you have sensitive logs in DevTools folders.
Install Mechanism
No install spec is declared (instruction-only install), but the SKILL.md instructs the user to install the npm dependency 'miniprogram-automator'. The skill does not download remote archives or add third‑party installers. This is proportionate for a DevTools automation toolkit.
Credentials
The skill does not request environment variables, credentials, or external tokens. It does access standard local paths (user home/Application Support or AppData) to locate DevTools logs and expects Node/npm and WeChat DevTools to be present — these are reasonable for the stated functionality.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It does create and remove temporary script files at runtime and invokes local executables (node, DevTools CLI), which is normal for automation tasks and limited to the agent's runtime.
Scan Findings in Context
[writes_temp_js_and_executes_node] expected: The Python modules generate temporary JS files and execute them with the local 'node' binary to drive miniprogram-automator — this is expected for batching automation commands and reducing WebSocket overhead.
[reads_user_devtools_log_dirs] expected: console_reader.py searches common DevTools log directories under the user's home (AppData / Library/Application Support) and reads .log files for reporting. This fits the console-reading purpose but does access local logs which may contain sensitive entries.
[subprocess_run_shell_usage] expected: The code runs 'npm root -g' via subprocess with shell=True to populate NODE_PATH for Node execution. While functional, shell=True is a small surface for injection if untrusted input were used; here the command is static and used to locate npm global modules.
Assessment
This skill appears coherent for uni-app development guidance and WeChat mini program automated testing. Before installing or running: 1) Ensure you trust the source because the skill will generate and execute temporary Node.js scripts locally and will call your WeChat DevTools CLI — these operate on your machine only (no hardcoded remote endpoints). 2) Install the required npm dependency ('miniprogram-automator') and ensure your DevTools 'Service Port' is enabled if you plan to use automation. 3) Review the scripts (they are included) if you are concerned about reading local DevTools log files — console_reader inspects files under your user profile. 4) If you handle sensitive data in DevTools logs or worry about executing generated scripts, run the toolkit in an isolated environment (VM/container) or audit the generated JS before execution. Overall the behavior matches the stated purpose; the main risks are local file access and running local automation scripts, which are expected for this kind of tool.Like a lobster shell, security has layers — review code before you run it.
latestvk974td72mackcvw8qc6a4r0gws84a1xz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.