AppDev Skill - 通用应用软件开发工作流
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Most of this is a normal HarmonyOS development workflow, but a bundled demo script appears copied from a coffee-app project and can modify a user's project with unrelated demo-mode code.
Install only if you are comfortable running local shell scripts that modify a project. Avoid scripts/demo-prep.sh unless you specifically want the coffee-app demo behavior, and review Git hooks and generated file diffs before keeping them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user asks the agent to prepare a demo, it may add unrelated coffee-app assumptions and files to a generic project.
The skill is presented as a generic HarmonyOS app-development workflow, but this bundled demo helper identifies itself as a domain-specific 豆因/coffee demo tool, creating a mismatch with the advertised purpose.
║ 🎬 豆因DeveloperSkill - Demo模式准备工具 ║
Remove or clearly quarantine this legacy demo script, or document it as coffee-app-specific and require explicit user confirmation before running it.
Running the script could change application source code and configuration in ways the user did not expect for a generic app project.
The script can write project source files and patch an existing service file. Because this behavior is tied to an unrelated coffee demo, the local mutation authority is under-scoped for the generic skill purpose.
cat > "$config_file" ... local service_file="$PROJECT_DIR/entry/src/main/ets/services/DIYCoffeeService.ts" ... sed -i
Only run this script in a disposable/demo project after reviewing it. The publisher should add backups, dry-run output, explicit prompts, and a clear revert path.
Future commits or pushes may be blocked or modified by the installed hooks until the user removes them.
The workflow can install Git hooks that persist beyond the current command and run automatically during future Git operations. This is purpose-aligned quality gating, but users should notice the persistence.
bash scripts/setup-hooks.sh install ... pre-commit: TODO检查、规范检查、编译检查、敏感信息 ... commit-msg ... pre-push
Inspect generated hooks before installing them and confirm there is a documented uninstall or disable command.
Some documented commands may fail or cause the agent to look for unreviewed helper code elsewhere.
The documentation references helper scripts that are not listed in the provided file manifest, while the metadata also has no install spec or required binaries. This suggests incomplete or inconsistent packaging rather than confirmed malicious behavior.
bash scripts/fill-logic.sh MyService myMethod ... bash scripts/test.sh UserService
Verify all referenced scripts are present in the installed package and avoid substituting external scripts unless their source is trusted.