ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AppDev Skill - 通用应用软件开发工作流

v1.0.0

通用应用软件开发完整工作流(HarmonyOS版)。支持从需求到部署的全流程开发管理。 包含:产品功能设计、代码生成、TDD开发、调试诊断、编译验证、版本管理。 适用于各类HarmonyOS应用的快速开发。 当用户需要开发HarmonyOS应用、生成代码、管理开发进度、进行TDD开发时触发。 关键词:开发应用、生...

0· 155·0 current·0 all-time
by@shixiangyu2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (HarmonyOS app dev workflow) align with the included files: code-generation templates, TDD helpers, build-checks, mock server, CI pipeline and many helper scripts. However the repository clearly derives from a coffee-app base (demo data, DEBUG/demo content referencing DIYCoffee) and includes AI-assisted tooling (ai-generate.sh) and sync/Mock server scripts that imply network/API usage not reflected in declared requirements. This is plausible for the stated purpose but the AI/network pieces are under-declared.
Instruction Scope
SKILL.md instructs the agent to run a large set of local scripts (init, generate, tdd, build-check, update, quick.sh shortcuts). Those scripts create and modify files in the project (e.g., demo-prep.sh writes DevMode files and demo data, setup-hooks.sh installs Git hooks, scripts may sed/modify service files). The runtime instructions do not direct reading unrelated system secrets, but several scripts will modify repository contents and install hooks — actions with real side effects that users should expect and review.
Install Mechanism
There is no external install spec; this is instruction-plus-scripts only. No downloads from unknown URLs were observed in the provided content. Risk is limited to the scripts' local file operations rather than arbitrary code pulled from remote hosts.
!
Credentials
Declared requirements list no env vars or credentials, but the skill advertises AI-assisted features (ai-generate.sh) and sync/mock-server tools that typically require network access and API credentials (OpenAI/other LLM APIs, package registries, or remote sync endpoints). Those credentials are not declared as required, which is an inconsistency: if you plan to use AI features you should expect to provide API keys and verify where those scripts send data. Additionally scripts may call external CLIs (devecoc, hdc) if available — the SKILL.md references them but they are optional.
Persistence & Privilege
always:false and agent autonomous invocation are normal. The scripts do modify project files (create demo files, add DevMode, install Git hooks). That level of persistence/change is reasonable for a developer workflow but is a material privilege: installing hooks and writing code/templates will change a repo. The skill does not attempt to modify other skills or system-wide agent config in the supplied files.
What to consider before installing
Before installing or running this skill: 1) Review ai-generate.sh, sync.sh and mock-server.sh to see whether they call external APIs or expect API keys (and where they send data). 2) Inspect setup-hooks.sh and demo-prep.sh — they write files and install Git hooks (run these only in a sandbox or test repository first). 3) Do not run scripts against production repositories without a backup (they may modify service files and create demo data). 4) If you intend to use AI-assisted features, treat any required API keys as sensitive and confirm the scripts do not leak them to third-party endpoints. 5) If uncertain, run the workflow in an isolated environment (throwaway git repo / VM / container) and open the scripts to audit network calls (curl/npm/ node invocations) and any sed/write operations before trusting them.

Like a lobster shell, security has layers — review code before you run it.

app-developmentvk976wzk26wzzd4pjc7zb15ny9s838ey5code-generationvk976wzk26wzzd4pjc7zb15ny9s838ey5harmonyosvk976wzk26wzzd4pjc7zb15ny9s838ey5latestvk976wzk26wzzd4pjc7zb15ny9s838ey5tddvk976wzk26wzzd4pjc7zb15ny9s838ey5workflowvk976wzk26wzzd4pjc7zb15ny9s838ey5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments