SvelteKit WebApp
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent SvelteKit app-building skill, but it can run development/deployment commands and use your logged-in GitHub/Vercel accounts, so approvals should be reviewed carefully.
This skill appears purpose-aligned for creating and deploying a SvelteKit PWA. Before installing or invoking it, make sure you are comfortable approving shell commands, package installs, GitHub repo creation, Vercel deployment, and project-local agent notes. Verify the active accounts and deployment targets before approving production steps.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent may create repositories, push code, and deploy a live application under your accounts.
The skill documents commands that create and push a GitHub repository and can trigger production deployment. This is expected for the stated deployment purpose, but it is high-impact.
gh repo create [project-name] --private --source=. --push ... git push origin main # Triggers production deployment
Review each command before approval, confirm the target repository and branch, and deploy to staging/private targets before production.
Actions may be performed in the currently authenticated personal or organization accounts, including repository creation and deployment.
The preflight checks rely on existing authenticated CLI sessions, so later GitHub, Vercel, or Turso actions would run with the user's logged-in identity.
gh auth status 2>/dev/null && echo "✓ GitHub" ... vercel whoami 2>/dev/null && echo "✓ Vercel" ... turso auth status
Before using the skill, confirm which GitHub/Vercel/Turso accounts and teams are active, and use least-privilege tokens or separate accounts where appropriate.
The generated project may include many third-party packages, and compromised or unexpectedly changed packages could affect the application.
The setup flow installs and runs standard external JavaScript tooling and dependencies. This is normal for SvelteKit scaffolding, but package provenance and version drift matter.
pnpx sv create [project-name] ... pnpx sv add eslint prettier mcp mdsvex tailwindcss vitest playwright ... pnpm install
Review package.json and lockfiles, pin versions for production-sensitive projects, and run dependency audit/update checks before deployment.
Incorrect, malicious, or secret-containing entries in project notes could mislead future coding iterations or be accidentally committed.
The workflow stores reusable project guidance in progress.txt and has future agent iterations read it. This is purpose-aligned project memory, but persistent context can influence later behavior.
Read the progress log at `progress.txt` (check Codebase Patterns section first) ... add it to the `## Codebase Patterns` section at the TOP of progress.txt
Inspect CLAUDE.md and progress.txt before reuse, avoid storing secrets there, and treat project-local notes as editable context rather than trusted policy.