Harmonyos Flyverify Integretion
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent may change build settings, app permissions, and source code in the HarmonyOS project.
The skill is designed to perform file writes and project modifications, but the visible instruction requires showing the planned changes and waiting for user approval first.
所有写文件和改文件操作前,都必须先展示计划修改内容并等待用户确认。
Review the proposed diff and commands before approving; keep the project under version control so changes can be reverted.
MobTech credentials may be stored in a local Excel file or inserted into app code and could be exposed if the project is shared or committed carelessly.
The skill expects MobTech app credentials and uses them for SDK initialization. This is expected for the integration, but those values are sensitive project credentials.
- 校验 `appKey`、`appSecret`、功能开关和超时 - 初始化: - `ZztSDK.init(context, appKey, appSecret)`
Use only the intended MobTech app credentials, keep generated credential files out of version control, and rotate credentials if they are accidentally exposed.
Installing these packages can change dependency files and bring external code into the app project.
The workflow installs third-party SDK packages without pinned versions. This is central to the integration, but it is still a supply-chain point users should review.
- `ohpm install @zztsdk/zztcore` - `ohpm install @zztsdk/flyverify`
Verify the package names and publisher, review resulting dependency or lockfile changes, and pin versions where the project policy requires it.