ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

App Builder

v1.0.0

Build, edit, and deploy Instant-backed apps using npx instant-cli, create-instant-app (Next.js + Codex), GitHub (gh), and Vercel (vercel). Use when asked to create a new app, modify an existing app, fix bugs, add features, or deploy/update an app. Projects live under ~/apps; always work inside the relevant app folder.

2· 2.7k·10 current·11 all-time
by@stopachka
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md describes generating an Instant app, creating a GitHub repo, and deploying to Vercel using npx instant-cli, gh, and vercel. The skill does not request unrelated binaries or credentials in its metadata; the workflows it prescribes align with the stated purpose.
Instruction Scope
Instructions direct the agent to read repo-level AGENTS.md files and local project files under ~/apps, create and capture an Instant app token/appId, run CLIs, commit/push to GitHub, and push env vars from a local .env to Vercel. Reading project files and .env is expected for development, but .env may contain unrelated secrets — users should be aware the agent will be instructed to read and push those values to Vercel.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is downloaded or written by the skill itself. Risk from install mechanism is low.
Credentials
The skill does not declare required env vars or credentials, but its workflow requires active CLI authentication to GitHub and Vercel and the creation/handling of an Instant token. This is proportionate to its purpose; however, the skill will operate using whichever user credentials are present (CLI login), so users should confirm they want the agent to use those accounts and push to the target repos.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. It directs normal developer operations within project directories and does not demand broader system changes.
Assessment
This skill appears coherent for building and deploying Instant-backed apps, but it will operate with whatever GitHub/Vercel CLI logins and local files (including .env) are available. Before enabling: 1) ensure you want an agent to create repos, commit code, and push to main on your behalf; 2) prefer using test repositories or limited-permission accounts if you don't want the agent to affect production repos; 3) review any .env values before allowing the agent to push them to Vercel (they may contain sensitive secrets); 4) confirm you are comfortable with the agent using your gh/vercel CLI sessions (it will prompt you if it cannot access them). If any of these are unacceptable, do not enable the skill or restrict the agent to a sandboxed account/repo.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ezb8sest4ppxvz7x2c0tdd80ds9d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments