ClawHub

Openclaw Fullstack App

v1.0.0

Generate complete fullstack apps with React/Vue/Next frontend, Node/Python backend, PostgreSQL/MongoDB, Docker, CI/CD, auth, REST/GraphQL APIs.

0· 298·3 current·3 all-time
by@sunshine-del-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description promise a fullstack app generator and the included SKILL.md plus generate.sh produce project scaffolding (frontend, backend, docker-compose, etc.). Required tools (Node/Python/Docker) align with the generator's outputs.
Instruction Scope
SKILL.md simply instructs running ./generate.sh and lists requirements. The script only creates files in the target directory and does not read unrelated files, call external URLs, or access environment variables beyond conventional PORT usage in example backend code. Minor issues: the script does not validate inputs, may overwrite files in the target directory, and embeds values like $NAME directly into generated files.
Install Mechanism
No install spec is present (instruction-only). The only code is generate.sh which writes scaffolding locally; no downloads or binary installs are performed by the skill itself.
Credentials
The skill declares no required credentials or config paths. However, the generated docker-compose embeds a hardcoded DB password ('pass') and a DATABASE_URL template; the DB image is set to the $DB value (defaults to 'postgresql', which is not the standard Docker image name). These are conveniences but are insecure or likely incorrect defaults and should be adjusted by the user.
Persistence & Privilege
Skill does not request persistent or elevated privileges, does not set always:true, and does not modify other skills or system-wide configuration. It only writes generated files into the chosen directory.
Assessment
This package is a simple local project scaffolder — its behavior is coherent with the description. Follow these precautions before using it: (1) Review generate.sh to confirm the exact files it will create; run it in an empty or disposable directory to avoid accidental overwrites. (2) Fix insecure defaults in the generated output (replace hardcoded DB password, set a secure DATABASE_URL, correct DB image name to 'postgres' or 'mongo' as appropriate). (3) Be aware the script does not validate or sanitize the NAME argument — avoid passing untrusted strings (e.g., containing '..' or shell-special characters). (4) The skill has no provenance (no homepage/repository/author contact); if you need stronger assurances, request source hosting or a verified author before relying on it in production. (5) After generation, inspect the produced Docker/CI configs and run in an isolated environment (e.g., local VM or throwaway container) before deploying to real services.

Like a lobster shell, security has layers — review code before you run it.

latestvk97571nyynyhved6cwwbzseefn828vsj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments