AppDev-Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill should be reviewed carefully because it automatically sends app-change requests through a shell curl command to an unauthenticated local backend with unclear safety boundaries.
Before installing, confirm that you intentionally want app-development requests delegated to a local Restate/AppFactory service, verify what is running on 127.0.0.1:8080, and avoid sending sensitive project details unless the backend is trusted and documented.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may stop coding directly and instead hand off the request to another system.
The skill intentionally redirects app-development requests away from normal coding and into a delegation workflow. That may be acceptable for this skill, but users should understand the agent will not directly implement changes.
YOU MUST NOT write the code yourself. You must delegate the task to the Restate backend infrastructure.
Install only if you want app-development requests delegated to the Restate backend; otherwise avoid enabling this skill for coding tasks.
A malformed or adversarial request could break the command or influence what is executed/sent, and app-change tasks may be queued without a clear review step.
The skill tells the agent to execute a shell command and embed the user's exact request into that command data, but it does not specify safe JSON/shell escaping or require user confirmation before sending the task.
Use the `exec` tool to run the following `curl` command ... -d '{"prompt": "<INSERT_USER_PROMPT_HERE>"}'Use a safer HTTP client/tool interface, JSON-escape the prompt, avoid shell interpolation, and require explicit user confirmation before queueing app-modifying work.
Users cannot verify from these artifacts what backend will receive and process their app-development requests.
The skill depends on an external/local Restate backend, but the provided metadata gives no source, homepage, install, or provenance information for that backend.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Confirm the publisher and the localhost Restate service before installing, and prefer artifacts that document the backend source, setup, and trust boundary.
Sensitive project details in the request may be handed to whatever service is listening on that localhost port, and that service may act outside the chat session.
The skill sends the user's prompt to a local asynchronous backend over an unauthenticated HTTP endpoint, with no documented identity check, authorization, data handling, or boundary controls.
curl -sS -X POST [http://127.0.0.1:8080/AppFactory/buildFeature/send](http://127.0.0.1:8080/AppFactory/buildFeature/send) ... -d '{"prompt": "<INSERT_USER_PROMPT_HERE>"}'Verify the local service, add authentication or service identity checks, document what data is sent and retained, and let users approve each handoff.