Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
iOS Dev Cleanup
v1.0.1Use when checking iOS development disk usage or cleaning up simulators, runtimes, device support, derived data, CocoaPods cache, archives, or other build art...
⭐ 0· 141·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: scanning Xcode/simulator/derived data/archives and offering deletion commands is consistent. Minor metadata inconsistency: registry metadata lists no required binaries, but SKILL.md declares requires_binaries: xcrun, du, stat — those binaries are reasonable and expected for macOS/Xcode cleanup.
Instruction Scope
The SKILL.md explicitly runs filesystem size scans and numerous deletion commands (rm -rf on DerivedData, DeviceSupport, caches, archives, etc.) which is appropriate for cleanup but inherently destructive. It also specifies automatic cleaning of 'unavailable' simulators/runtimes with '直接执行清理(无需用户确认)' (execute without user confirmation). That automatic deletion before the user review step is the primary scope risk: if invoked without supervision it can remove local data unexpectedly. The instructions target both user-home paths and system Asset paths (/System/Library/AssetsV2) — the latter is SIP-protected but still referenced.
Install Mechanism
Instruction-only skill with no install spec or code to write to disk; this is low install risk. README suggests installing by git cloning from a public GitHub repo, which is a normal distribution method but not enforced or verified by the skill bundle itself.
Credentials
The skill requests no environment variables or credentials. The operations only require local CLI tools (xcrun, du, stat). No network endpoints or external credentials are requested or implied in SKILL.md/README.
Persistence & Privilege
The skill is not 'always: true', but model invocation is allowed (disable-model-invocation: false). Because the instructions perform automatic deletion of 'unavailable' items without confirmation, autonomous invocation increases the risk of unintended deletions. Autonomous invocation alone is normal, but combined with the auto-delete behavior this is a notable concern.
What to consider before installing
This skill appears to do what it says (scan and remove iOS/Xcode artifacts) and requests no secrets. However:
- Pay attention to the 'unavailable' auto-clean step: SKILL.md says unavailable simulators/runtimes are deleted automatically without user confirmation. If you allow the agent to invoke skills autonomously, that could remove data before you see it. Consider disabling autonomous invocation for this skill or confirming the behavior in a safe environment first.
- Review deletion commands before execution. The tool uses rm -rf on many ~/Library paths (DerivedData, DeviceSupport, caches, archives). Make sure you (or the agent) run only the scan or a dry run first and verify which items will be deleted.
- The SKILL.md references system asset paths (/System/Library/AssetsV2) — those are SIP-controlled and could have side effects; the doc warns about SIP but be cautious.
- If you install the skill from the author's GitHub, inspect that repository yourself before cloning. Prefer running scans only (no-delete mode) initially, and back up any data you cannot afford to lose.
If you want this skill to be safer: require explicit user confirmation for every deletion (including 'unavailable' items) or disable autonomous invocation for this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97dbt1abekaqxhv4kznnjf4xd832gq9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.