ClawHub
Back to skill
v1.0.0

Capacitor App Development

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:13 AM.

Analysis

This is a coherent documentation-only Capacitor development skill, but users should review any suggested project edits, local commands, signing options, or live-reload settings before allowing them.

GuidanceThis skill appears safe for Capacitor development documentation. Before installing or using it, be prepared to review any agent-proposed commands, dependency installs, project diffs, signing-related inputs, and live-reload configuration changes.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Auto-detect before asking. Inspect the project for platforms (`android/`, `ios/`), framework ..., Capacitor version ...; Prefer actionable instructions. Provide exact file paths, commands, and diff blocks

The skill directs the agent to inspect local project structure and provide actionable commands and edits. This is expected for app development guidance, but it gives the agent influence over local project changes.

User impactThe agent may read Capacitor project files and suggest or apply changes to native app configuration.
RecommendationOnly use it in the intended project repository, and review proposed diffs and commands before approving changes.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
references/cli.md
Run `npx cap sync` after: ... Installing or removing plugins ... Lifecycle Hooks ... run at specific points during CLI operations ... Hooks are scripts defined in `package.json`

Capacitor CLI commands are central to the skill, but the reference itself notes that CLI operations can run project-defined lifecycle scripts.

User impactRunning the suggested development commands may execute local project scripts, install dependencies, or update native project files.
RecommendationApprove command execution deliberately, especially in unfamiliar repositories, and inspect relevant `package.json` scripts or Capacitor hooks first.
Cascading Failures
SeverityLowConfidenceHighStatusNote
references/live-reload.md
The development server must bind to `0.0.0.0` ... server: { url: 'http://<LAN_IP>:<PORT>', cleartext: true } ... Remove the `server` block ... before building a production release.

Live reload setup intentionally exposes a development server on the network and changes app configuration. The reference gives a cleanup warning, making this purpose-aligned but still important to review.

User impactLeaving live-reload or cleartext settings in the project could affect other builds or accidentally reach a production release.
RecommendationUse live reload only for development and verify the `server` block and cleartext settings are removed before committing or releasing.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/cli.md
`--keystorepath <path>` ... `--keystorepass <pass>` ... `--keystorealias <alias>` ... `--keystorealiaspass <pass>`

The CLI reference documents Android signing options that can involve sensitive keystore credentials. This is expected for release builds, but credentials require careful handling.

User impactIf a user places signing passwords directly in commands or chat, those secrets could be exposed in shell history, logs, or conversation context.
RecommendationAvoid sharing keystore passwords in chat; prefer secure local environment variables, CI secret storage, or interactive prompts where possible.