Website Skeleton Skill
ReviewAudited by ClawScan on May 15, 2026.
Overview
The skill is coherent for building and deploying a full-stack website, but it involves cloud deployment, payment/account credentials, and persistent analytics/audit data that users should configure carefully.
Install only if you are comfortable giving the generated project access to your EdgeOne account and any payment, AI, and database secrets needed for the selected template. Treat the deployment as production-impacting: review generated code, secrets, analytics behavior, cron jobs, and admin/payment settings before going live.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may publish generated code to a cloud-hosted site under the user’s EdgeOne account.
The skill’s deployment workflow uses a CLI login and publishes to EdgeOne Pages. This is central to the stated purpose, but it can affect a real cloud account and public website.
npm install -g edgeone edgeone login --site china edgeone pages deploy -n my-site
Review the generated site, project name, target account, and deployment settings before running the deploy command.
Misconfigured or over-scoped secrets could affect authentication, payments, AI provider usage, or database access in the generated website.
The skill declares secrets for authentication, AI integration, payment, and database access. These credentials are expected for the advertised stack, but they are sensitive and should be scoped carefully.
JWT_SECRET ... required: true ... secret: true AI_API_KEY ... secret: true WX_APPID ... secret: true WX_MCHID ... secret: true DATABASE_URL ... secret: true
Use least-privilege project-specific credentials, store them only in the deployment provider’s secret store, and rotate them if they are shared accidentally.
Visitors to the generated site may have page views, referrers, session identifiers, and related metadata recorded.
The analytics helper collects user/session identifiers and browsing context, and sends them to the site’s analytics endpoint. This is normal for an analytics module but creates persistent user-tracking data.
userId: getUserId() || null, sessionId: getSessionId() || getAnonymousId(), url: typeof location !== 'undefined' ? location.pathname : null, referrer: typeof document !== 'undefined' ? document.referrer : null
Provide a clear privacy notice, verify opt-out/DNT behavior, and avoid collecting unnecessary personal data.
If enabled, orders in the generated store can be automatically cancelled or completed based on timing rules.
The generated backend includes a scheduled job that automatically changes order states. This is bounded and relevant to e-commerce, but it is autonomous background behavior.
EdgeOne Pages Cron 触发器配置:每 5 分钟执行一次 1. PENDING 超时 30 分钟 → CANCELLED 2. SHIPPED 超过 7 天无售后 → COMPLETED
Confirm the cron schedule, timeout rules, tenant scope, and rollback/admin procedures before using it in production.