Back to skill
Skillv1.0.0
ClawScan security
Mobile App Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 3:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only mobile app development helper whose requirements and instructions are consistent with its stated purpose and do not request extra installs, secrets, or persistent privileges.
- Guidance
- This skill is an instruction-only assistant for mobile development and appears coherent, but before handing over anything to the agent consider: only share the minimal repo/files needed (prefer a branch or limited-scope PR), never paste private signing keys or long-lived credentials directly (use ephemeral or scoped tokens where possible), prefer granting read/PR access rather than push-to-main, validate all diffs and run builds/tests locally or in your CI, and do not supply App Store/Play Console account passwords—use delegated roles or CI-managed signing. Because the skill is instruction-only, it will not run builds on its own; you should run and verify the exact validation commands it recommends.
Review Dimensions
- Purpose & Capability
- okName/description match the SKILL.md: it describes end-to-end mobile app work and the instructions are developer-focused (planning, implementing, testing, release). There are no unexpected environment variables, binaries, or installs required that would be unrelated to building mobile apps.
- Instruction Scope
- okThe SKILL.md contains standard development workflows and guardrails (clarify scope, incremental edits, validation commands, release checks). It does not instruct the agent to read unrelated system files, exfiltrate data, or contact external endpoints. The instructions imply the agent will work with repository/project files provided by the user, which is appropriate for this purpose.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes the risk because nothing is written to disk or fetched at install time.
- Credentials
- okNo required environment variables, credentials, or config paths are declared. The SKILL.md mentions release signing and environment variables as things to verify, but does not request secrets itself; any request for signing keys or distribution credentials would be a user decision and should be scoped appropriately.
- Persistence & Privilege
- okalways:false and no instructions to modify other skills or system-wide agent settings. The skill does not request permanent presence or elevated privileges.