ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dev Skill

v1.0.1

Generate SwiftUI iOS application code from PRD documents. Use when a PRD document is available and needs to be transformed into a working iOS application wit...

0· 108·1 current·1 all-time
by唐超@tc1993
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (generate SwiftUI iOS apps from PRDs) is consistent with the SKILL.md content: project layout, models, viewmodels, views and features are all about producing iOS code. However the skill also claims to verify that code compiles and to implement features that require Apple platform entitlements (push notifications, iCloud sync, provisioning). The skill declares no required binaries (Xcode/xcbuild) and no environment variables or credentials (Apple Developer account), which is inconsistent with the claimed compile-and-deploy-style capabilities.
Instruction Scope
Instructions are focused on code generation and state that the project will be created under dev-output/, compiled/verified, and then the skill will trigger qa-skill with the generated code. The instructions do not instruct reading unrelated system files or secrets, but they do direct the agent to send generated code to another skill (qa-skill). That cross-skill data flow is expected for a pipeline but is a potential privacy/exfiltration vector unless you trust qa-skill. The compile/verify step implies executing build tools which are not declared in requirements.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. Note: because it promises to verify compilation, practical use will require Xcode/command-line build tools in the runtime environment; there is no install guidance for those tools.
!
Credentials
The skill requests no environment variables or credentials, yet its feature list includes push notifications, iCloud sync, and verifying builds — all of which normally require Apple Developer account access, provisioning profiles, certificates, or a local Xcode toolchain. The absence of any declared credentials or config paths is disproportionate to the claimed functionality and should be clarified.
Persistence & Privilege
always:false and no special persistence are fine. The skill does write output to dev-output/ and autonomously triggers qa-skill with generated code; autonomous triggering of another skill can expose generated source to that downstream skill. This is expected pipeline behavior but increases data-sharing risk; consider requiring user confirmation before triggering QA/other skills.
What to consider before installing
What to check before installing: - Clarify build environment requirements: ask the publisher whether the skill expects Xcode, xcodebuild, or other local build tools and whether it will run compilation in your environment. If it does, ensure your environment has those tools and that you consent to builds running. - Ask about Apple Developer credentials and entitlements: push notifications, iCloud sync, and App Store provisioning require developer account certificates/profiles. The skill currently does not request any credentials — ask how it manages entitlements and signing, and never supply developer credentials unless you understand why and how they will be used. - Confirm what 'trigger qa-skill' means: the skill will send the generated source to another skill (qa-skill). Ask what QA does, where results or artifacts are sent, and whether the QA step transmits code off your machine or to external services. - Review produced code before sharing: ensure the output goes to an isolated output path (dev-output/) and manually inspect generated code and any autogenerated keys/certificates before letting any automated step publish or upload it. - Consider limiting autonomy: if possible, require user confirmation before the skill runs compilation or triggers other skills — especially when dealing with proprietary PRDs or sensitive designs. Questions to ask the skill author/developer: - How does the skill verify code compiles (local xcodebuild, remote CI, container)? - Does the skill ever contact external servers (for templates, dependencies, or analytics) while generating code? If so, which domains and for what purpose? - Does it generate or require provisioning profiles/certificates? If yes, how should users provide them securely? - What does qa-skill do with the code and where might QA results or artifacts be sent? Given these mismatches (compile verification and Apple-service integrations without declared build tools or credentials), treat the skill as usable only after the publisher clarifies how builds, signing, and cross-skill data sharing are implemented and how sensitive credentials are handled. If you cannot get clear answers, avoid running automated compilation or auto-triggering downstream skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk9738r01tcx7w9cmrq52e4cwan83g0d3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments