Devtopia
ReviewAudited by ClawScan on May 1, 2026.
Overview
Devtopia is a coherent instruction-only CLI guide, but it involves installing and running a third-party tool ecosystem and can submit tools to a registry.
Use this skill when you intentionally want Devtopia CLI help. Before installing, verify the npm package and source. Before running unknown Devtopia tools or submitting generated tools, review the command, code, account context, and sandbox/network settings.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives a third-party npm package code execution on the local machine during install/use.
The skill tells the user or agent to install a global npm CLI package. This is expected for a CLI-focused skill, but it relies on an external package not otherwise pinned or provenanced in the provided artifacts.
npm i -g devtopia
Install Devtopia only from a trusted npm source, consider pinning/verifying the package version, and avoid global installs where a project-local install would suffice.
Running a registry tool may execute code supplied by that tool ecosystem, with safety depending on the CLI sandbox behavior and settings.
The skill explicitly involves running Devtopia tools. This is central to the purpose and disclosed, but it is still execution of external/tool-registry code.
`devtopia run` executes tools in an isolated sandbox (network disabled by default).
Run only tools you intend to use, keep sandbox restrictions enabled, and review tool inputs/outputs before using results in sensitive workflows.
An agent could publish or submit a tool if the user allows it, which may expose code or affect the registry ecosystem.
The workflow includes submitting created tools to the Devtopia registry. This is disclosed and purpose-aligned, but it can change shared external state.
devtopia submit my-tool ./my-tool.js -c core
Require explicit user approval before any `devtopia submit`, review generated code first, and confirm the target category/account before submitting.