React Native Update (Pushy) Integration
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: react-native-update Version: 0.3.0 The skill bundle is classified as suspicious due to the direct instruction in `SKILL.md` for the AI agent to execute a local shell script (`scripts/integration_doctor.sh`). While the script's intent is diagnostic and its current implementation does not show malicious behavior (e.g., no exfiltration, no unauthorized network calls), the execution of shell commands (`cd`, `grep`, `node -e`) by the agent represents a risky capability. This capability, if combined with an agent vulnerability (e.g., unsanitized user input for `<app-root>`), could potentially lead to shell injection or other command execution vulnerabilities, even though the skill itself does not contain explicit malicious code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup may install or update dependencies on your machine and in your app project.
The setup relies on external package-manager and native dependency commands, including a global npm CLI install. This is expected for React Native integration, but users should understand these commands fetch and install third-party code.
`npm i -g react-native-update-cli`; `npm i react-native-update`; `cd ios && pod install`; `npx expo prebuild`
Run these commands intentionally, preferably in a clean working tree, and review package sources, lockfile changes, and generated native files before committing.
The diagnostic script will inspect files in the selected React Native project and print integration status.
The helper is a shell script that runs local node and grep commands inside the selected app root. Its observed behavior is diagnostic and read-only, but it is still local command execution.
APP_ROOT="${1:-$(pwd)}"
cd "$APP_ROOT"
...
if node -e "const p=require('./package.json'); ..."
...
if grep -R --line-number --include='package.json' 'expo-updates' .Review the script before running it and pass the intended app root path explicitly if your workspace contains multiple projects.
If misconfigured, app users could receive or apply updates in a way that is hard to notice or recover from.
The skill helps configure release-build hot updates, including silent update strategies. This is central to the stated purpose, but a bad update strategy or rollout can affect many installed app clients.
`updateStrategy`: `alwaysAlert` / `alertUpdateAndIgnoreError` / `silentAndNow` / `silentAndLater` / `null`
Use staged rollout, keep server-side rollout rules authoritative, test rollback behavior, and avoid silent strategies unless they match your release policy.