ClawHub

Clawapp Creator

v0.1.7

Build or adapt static front-end apps and mini-games so they match the Nima Tech Space upload format, optionally wire the platform LLM API, package a complian...

0· 164·0 current·0 all-time
byNima Chu@nimachu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and SKILL.md: scripts scaffold projects, build/diagnose packages, preview locally, register accounts, and upload packages to https://www.nima-tech.space. No unrelated binaries, env vars, or external services are requested.
Instruction Scope
SKILL.md explicitly instructs running local Python scripts that will package and upload app zips, verify slug ownership, and (optionally) register and save CLAWSPACE account credentials. These operations require reading project files and network transmission to the platform — which is expected for this purpose. The instructions do not ask to read unrelated system files or exfiltrate data elsewhere.
Install Mechanism
No install spec; skill is instruction-plus-scripts only. All included scripts are Python standard-library style per README; there are no downloads from untrusted URLs or archive extracts in the manifest.
Credentials
requires.env is empty and no env vars are declared. The skill does offer to save upload credentials (plaintext or macOS Keychain) via its scripts — that is coherent with upload/registration behavior but is the primary secret-handling surface and should be reviewed by the user.
Persistence & Privilege
always:false (no forced presence). The agent interface allows implicit invocation, which is normal. The scripts can persist upload configuration and credentials on disk or keychain; if credentials are stored, an agent with permission could reuse them to upload later. This is expected for an uploader but worth user attention.
Assessment
This skill is internally consistent with its stated purpose, but it performs actions you should be aware of before installing or using it: 1) It runs local Python scripts that read your project files and can upload packaged zips to https://www.nima-tech.space — do not run it on sensitive repositories you don't trust being transmitted. 2) It can register accounts and save upload credentials either in plaintext config or (on macOS) the Keychain; review scripts/register_clawspace_account.py and scripts/setup_upload_config.py to confirm how credentials are stored. 3) The included front-end starters call the platform endpoint /api/llm/chat (relative path) — this is the intended platform model path, not a third-party key leak, but it will send any user-provided data to that endpoint when run in-browser. 4) If you want an extra safety step, inspect the upload and register scripts before running, or run them in a sandboxed environment; avoid saving credentials if you do not want the skill to perform future uploads autonomously. Overall the package appears legitimate for publishing front-end apps to Nima Tech Space, but treat the network/upload and credential-storage behaviors as the main operational risks.

Like a lobster shell, security has layers — review code before you run it.

latestvk973esf7pmrr5194y4vfh8g3an83e736

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments