Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Swiftverify
v1.0.0Apple Design Award 标准的 Swift/SwiftUI 项目验证技能。执行编译、架构、设计系统、无障碍、国际化、性能、原生集成七层检查,生成综合报告。
⭐ 0· 44·0 current·0 all-time
by@soponcd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's purpose (compile and verify Swift/SwiftUI projects using xcodebuild, swiftlint, Instruments, XCTest, etc.) is plausible, but the registry metadata declares no required binaries or environment and there are no code/script files in the package even though the SKILL.md references many scripts and resources. A verification skill would legitimately need those tools and scripts, so their absence is an incoherence.
Instruction Scope
The runtime instructions tell the agent to run repository scripts (e.g., ./agent/skills/swiftverify/scripts/run_all.sh) that would compile, inspect, and auto-modify project source. The package does not include those scripts or the referenced resource files. Instructions allow automatic code fixes (auto-fix) which modify source without describing safeguards, and paths are inconsistently referenced (.agent vs ./agent). Running these steps would give the agent the ability to read and change project files—expected for this task but not documented in the package.
Install Mechanism
There is no install spec (instruction-only), which is low-risk by itself. However, SKILL.md assumes on-disk scripts and tools that are not present in the manifest. This suggests the SKILL.md represents a design or CI snippet rather than an actually packaged skill—users should not assume the missing artifacts are present or safe.
Credentials
The skill declares no required environment variables or credentials, yet its checks (xcodebuild, signing, Instruments) commonly require macOS tooling, developer certificates, or CI secrets. Also auto-fix will write changes to repo files without stating required permissions. The absence of declared env/config requirements is disproportionate to the described operations.
Persistence & Privilege
always:false and normal model invocation are set (no privileged always-on behavior). The main privilege to note is that the described scripts would read and modify repository files; this is an expected capability for a verification/auto-fix tool but the package does not include the scripts to review beforehand, increasing risk. No evidence the skill would modify agent/global settings.
What to consider before installing
Do not run or install this skill as-is. The SKILL.md expects many scripts and resource files (scripts/, templates/, resources/) that are not included in the package manifest, and it references tools (xcodebuild, swiftlint, Instruments, XCTest) and auto-fix operations without declaring required binaries, credentials, or safeguards. Before using: 1) obtain and review the actual scripts and resource files that SKILL.md references; 2) verify exactly what commands the scripts run (especially any code-modifying auto-fix steps) and run them in an isolated environment or CI runner with repository backups; 3) confirm required binaries/OS (this requires macOS with Xcode and Instruments) and any signing/dev account usage; 4) ensure no secrets (Apple IDs, certs) are needed or, if they are, that their use is explicit and minimal; 5) ask the publisher for the missing artifacts or use the linked GitHub homepage to inspect the real repository. The current package looks like a plan or CI snippet rather than a complete, reviewable skill—treat it as untrusted until the missing files are provided and inspected.Like a lobster shell, security has layers — review code before you run it.
latestvk97f10vfq39qnh0t37q8h8990s83n5qw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✨ Clawdis