Web Architecture
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: web-architecture Version: 0.1.0 The skill bundle provides comprehensive documentation and instructions for building a TypeScript/Next.js/Convex application using a multi-agent workflow. All commands and code snippets described are standard development practices (e.g., `bun install`, `npx convex dev`, `next build`). The `SKILL.md` focuses on development methodology and quality assurance, without any prompt injection attempts to subvert the agent's purpose or exfiltrate data. While `TECH-REQ.md` mentions Sentry's session replay with `maskAllText: false`, which could be a privacy concern for the application being built, it is a configuration choice for the application's error tracking, not an indication of malicious intent by the skill bundle itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A build or delegated task could run longer than expected and consume time, credits, or compute until manually stopped or completed.
The skill openly instructs long-running sub-agent execution; this is aligned with its orchestration purpose, but users should notice the lack of a hard runtime bound.
Sub-agents MUST run without timeout limits.
Use clear checkpoints, review each phase before continuing, and apply your own budget or cancellation limits if your agent runner supports them.
The agent may start development tooling, generate files, or modify project state as part of the build workflow.
The instructions include local CLI commands. These are expected for bootstrapping and verifying a Convex/Next.js project, but they will execute in the user's development environment.
Initialize Convex: `npx convex dev --once` ... Run `npx convex dev` ... Verify: `bun run build` passes
Run the skill only inside the intended project workspace and review generated or modified files before committing or deploying.
If you supply real provider keys, generated application code may gain access to billing, email, auth, or analytics services.
The technical requirements include examples for provider secrets and billing/webhook integrations. This is expected for a full-stack app spec, and there is no evidence of secret logging or unrelated transmission.
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!); ... process.env.STRIPE_WEBHOOK_SECRET!
Use environment variables, least-privilege test keys where possible, and review provider scopes before using production credentials.
The agent may apply product-specific defaults, branding, integrations, or requirements that do not match your project.
A supporting document is product-specific even though the skill is described as a general web architecture workflow; this could bias generated work toward HustleStack assumptions if the user does not override it.
# HustleStack - Technical Requirements > Comprehensive technical specification for the HustleStack career development platform.
Treat the HustleStack document as an example or template and explicitly provide your own project requirements before using the workflow.
Future installs may resolve to different package versions than originally intended.
The requirements favor latest-version dependencies. That is common for a modern app template, but unpinned versions can change behavior over time.
| **Convex** | latest | ... | **Clerk** | latest | ... | **Stripe** | latest |
Pin dependency versions and commit a lockfile for real projects.