ClawHub

Capacitor App Development

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Capacitor development skill whose guidance is generally purpose-aligned, with a few areas where users should apply normal security caution.

Install this if you want Capacitor development assistance. Review proposed commands and diffs before applying them, use live reload and cleartext HTTP only on trusted development networks, remove development server settings before release, store authentication tokens and signing secrets in secure storage or environment/CI secret stores, and double-check any cache-deletion command before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to bind the development server to 0.0.0.0 and expose it on the local network, but it does not warn that this makes the app's development content reachable by other devices on the same network. In the context of live reload this is often necessary, but without an explicit security note users may unintentionally expose source maps, debug endpoints, or in-progress app functionality on untrusted Wi-Fi.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manual configuration explicitly sets a cleartext HTTP server URL and cleartext: true, but does not warn that traffic between device and dev server is unencrypted. On shared or hostile networks, this can allow interception or modification of development traffic, which is especially relevant because live reload serves app code directly into the WebView.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document lists 'small tokens' as a use case for `@capacitor/preferences`, then immediately shows code using that API without warning that authentication tokens should instead go into secure storage. In a developer guidance skill, this can normalize storing session or auth tokens in a non-hardware-backed key-value store, increasing the risk of token disclosure on compromised devices, backups, or via insecure app handling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance explicitly recommends enabling cleartext HTTP traffic for development via `server.cleartext: true` or a network security config, but it does not clearly warn that HTTP traffic is vulnerable to interception and tampering on untrusted networks. In a mobile development troubleshooting guide, developers may copy this into broader use or forget to remove it, weakening transport security beyond the intended temporary debugging scenario.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal