Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lowcode Platform Development
v1.0.0Automates the creation of required development roles, scaffolds the project structure, and generates code for a low‑code development platform with Vue2 + Ele...
⭐ 0· 139·1 current·1 all-time
by@mmyg11
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The goal (scaffold frontend/backend, create roles, run npm/mvn, produce docker-compose and CI) aligns with the skill name and description. However the SKILL.md expects a PowerShell script and asset templates to perform that work, yet those runtime artifacts are not actually present or are placeholders. The skill also does not declare the actual required tools (PowerShell, npm, maven, git, docker), which is disproportionate to the claimed purpose.
Instruction Scope
Instructions tell the agent to run scripts/generate_project.ps1, run 'npm install' and 'mvn package', copy templates, and commit to a git repo. The referenced script file is not included in the manifest and the templates under assets are placeholders, so the instructions cannot be executed safely as-is. Running the described commands will perform network downloads (npm/maven), filesystem writes, and build-time script execution — none of which are spelled out or constrained in the SKILL.md. The instructions also implicitly require git/docker access but do not mention them.
Install Mechanism
There is no install spec (instruction-only), which minimizes written-on-disk installs from the registry, but increases runtime risk because the skill expects to execute build tooling (npm/maven) that will fetch and execute remote packages. Because the actual scaffolding script is missing, it's unclear what code would be run when this skill is invoked in a real agent environment.
Credentials
The skill declares no required environment variables or credentials, yet its docker-compose includes SPRING_PROFILES_ACTIVE and the workflow mentions pushing images/CI pipelines and 'push the repository to a remote' (which would need credentials). The absence of declared required binaries (PowerShell, npm, mvn, git, docker) and missing mention of network activity is a proportionality gap. While no explicit secret-exfiltration step appears, build commands will download third‑party code, which can be an attack vector if run blindly.
Persistence & Privilege
The skill does not request always:true and is user-invocable with normal autonomous invocation allowed. It does not request to modify other skills or system-wide agent settings. No elevated persistence is requested.
What to consider before installing
This skill's purpose is reasonable for scaffolding a low‑code project, but the runtime artifacts you would need to trust are missing or only placeholders. Before installing or running it: 1) Ask for the actual scripts (scripts/generate_project.ps1) and full template contents so you can review them line-by-line. 2) Confirm and install required tools locally (PowerShell, npm, Maven, git, Docker) and ensure the SKILL.md lists them. 3) Do not run builds or scaffold commands on a sensitive machine — run them in an isolated VM or sandbox because 'npm install' and 'mvn package' will fetch and execute third‑party code. 4) Require the skill to declare any network operations, repository pushes, or credentials it will use; do not provide repository or registry credentials until you have inspected the scripts. 5) If you intend to accept this skill, request that the author include the missing files or change the SKILL.md to only operate on user-supplied verified templates. These steps will reduce the risk of accidentally executing unknown code or leaking credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk971kkhftd8ksnf632909j8tks835jmc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.