develop-and-deploy-web-app
ReviewAudited by ClawScan on May 12, 2026.
Overview
The skill is coherent for building and sharing demo web apps, but it will install npm dependencies, run long-lived local Node services, expose apps through a public URL, and maintain local registries.
Install and use this skill only when you want a local demo web app built, dependencies installed, Node processes started, and a public URL created. Avoid storing sensitive data in generated apps, review persistent .ai.md context before later edits, and stop or remove apps when you are done.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A shared demo app may be publicly accessible and its demo records may be editable through the app's API.
The skill intentionally exposes generated apps externally and creates mutable CRUD functionality. This is aligned with the demo/share purpose, but users should understand that data in the generated app may be reachable or changeable by anyone with the URL.
provide a URL that another person can open from outside the machine ... At least one CRUD flow
Do not put sensitive data in generated demo apps, share URLs only with intended viewers, and stop or remove apps after use.
Installing the generated app will download and run dependency installation behavior from the npm ecosystem.
The generated app uses third-party npm dependencies with semver ranges, which is normal for this purpose but means installs depend on npm package provenance and future compatible-version resolution.
"react": "^19.1.0", "react-dom": "^19.1.0" ... "vite": "^6.3.5"
Use this in trusted workspaces, review generated package files/lockfiles when needed, and avoid deploying generated apps in sensitive environments without dependency review.
The skill can run local build/install commands and package scripts for generated projects.
The script executes npm commands in the generated app directory. This is expected for building and deploying a web app, but it is real local command execution.
const result = spawnSync(npmCall.file, npmCall.args, { cwd, encoding: "utf8", stdio: "inherit"Invoke deployment only when you want local commands to run, and review/stop generated processes if they are no longer needed.
A changed .ai.md file could steer future modifications to the generated app.
The skill creates and reuses persistent AI context files for future app modifications. This is useful project memory, but such files can influence later agent behavior if edited.
Before modifying an existing generated web app, read its `.ai.md` file first.
Treat .ai.md as project context rather than authoritative instructions, and review it before asking the agent to modify an existing app.
A bad registry entry could make generated apps hard to find, route, restore, or stop correctly.
The skill updates a shared platform-level registry in addition to per-app files. This supports routing and discovery, but registry mistakes could affect multiple generated apps.
Keep `../platform_data/web-app-registry.json` synchronized relative to the `.openclaw` root directory.
Use the provided status/list/stop/remove scripts for lifecycle management and inspect registry files if app routing behaves unexpectedly.
Generated apps may keep running locally until stopped, and restore scripts can start apps marked for auto-start.
The skill starts long-running app processes and supports restore, while explicitly saying it should not silently add OS-level persistence. This is disclosed and purpose-aligned.
Run each web app in its own isolated Node.js process ... Support restart recovery through registry-driven restore scripts, but do not silently install OS startup hooks or scheduled tasks.
Use status-app.js, stop-app.js, remove-app.js, or set-autostart.js to manage running apps and restore behavior.