ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

React Native Update (Pushy) Integration

v0.3.0

Unified integration skill for React Native Update / Pushy(统一入口)across OpenClaw and Claude Code workflows. Use for 安装配置, appKey/update.json 接线, iOS/Android 原生...

0· 603·0 current·1 all-time
bySunny Luo@sunnylqm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, description, SKILL.md, playbook and doctor script are coherent for a React Native Update/Pushy integration helper. One small mismatch: the metadata lists no required binaries, but the playbook and doctor script assume common dev tools (node, npm/yarn, pod) are available and will be used (e.g. `npm i`, `pod install`, `node -e`). This is expected for the task but the missing required-binaries declaration is a documentation gap.
Instruction Scope
Runtime instructions stick to integration tasks: detecting project type, applying dependency steps from the included playbook, wiring appKey/update.json, doing minimal native edits, and running the bundled `integration_doctor.sh`. The script only reads project files (package.json, update.json, ios/Podfile, android) and greps for expo-updates; it does not contact external endpoints or read arbitrary system config.
Install Mechanism
This is an instruction-only skill with no install spec or downloads. No archives, remote installers, or unknown third-party URLs are introduced by the skill itself.
Credentials
The skill requests no environment variables or credentials. It does expect local project files (notably update.json, which contains platform appKey values). Those appKey values may be sensitive for your rollout configuration — the skill reads them locally but does not exfiltrate them. Ensure you are comfortable having the agent inspect these files before running the doctor.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or global agent configuration. It also does not write long-lived credentials or change system-wide settings.
Assessment
This appears to be a legitimate React Native / Pushy integration helper. Before using it: (1) verify you have Node/npm (and CocoaPods for iOS) available locally — the playbook and doctor rely on them; (2) review update.json and sensitive appKey values locally (the skill reads that file but does not send data externally); (3) avoid blindly running global installers from the playbook (e.g., `npm i -g`) without understanding them — prefer local installs when possible; (4) run the included `scripts/integration_doctor.sh` in a safe, local checkout or sandbox to see its output; and (5) if you will let the agent run commands autonomously, limit that to a trusted agent/context because instruction-only skills can still execute shell commands on your behalf.

Like a lobster shell, security has layers — review code before you run it.

claude-codevk9749y75mqmeyv51h6e9pbntth818wq3expovk9749y75mqmeyv51h6e9pbntth818wq3latestvk9749y75mqmeyv51h6e9pbntth818wq3openclawvk9749y75mqmeyv51h6e9pbntth818wq3pushyvk9749y75mqmeyv51h6e9pbntth818wq3react-nativevk9749y75mqmeyv51h6e9pbntth818wq3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments