Expo Mobile Dev
ReviewAudited by ClawScan on May 16, 2026.
Overview
This is mostly a legitimate Expo setup workflow, but it can add other AI skills and handles sensitive app-store/OAuth credentials, so those steps need review before use.
Use this skill only if you are comfortable with an opinionated Expo workflow. Before proceeding, approve scaffolding/package commands, decline or review any proposed installation of additional AI skills, and require confirmation before EAS deploy/update/submit actions. Keep Apple .p8 keys, client secrets, Google/App Store keys, and service-account files out of git and out of shared chats.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing extra skills could change how the agent behaves in later tasks, based on third-party skill contents the user has not reviewed in this artifact set.
This shows the skill may install additional remote AI skills that are not included in the reviewed artifacts, not version-pinned here, and intended to affect future work.
installs the official Expo + TanStack AI development skills so future work has expert guidance loaded ... network access to ... agent-skill registries (github.com/expo/skills, tanstack-skills, reactnativecn)
Require explicit user approval before installing any additional skills, list exact sources and versions, and provide a clear way to skip or uninstall them.
If the .p8 key or generated client secret is exposed in chat logs, terminal logs, or source control, someone could misuse the Apple OAuth configuration.
The helper script reads an Apple private key and prints an Apple OAuth client secret JWT. This is purpose-aligned for Sign in with Apple, but it handles highly sensitive credentials.
const privateKeyPem = readFileSync(`./AuthKey_${keyId}.p8`, "utf8"); ... console.log(`APPLE_CLIENT_SECRET:\n${clientSecret}`);Run the script locally, keep .env and AuthKey_*.p8 out of git, avoid sharing the printed JWT, and store production secrets only in EAS or a trusted secret manager.
If run at the wrong time or against the wrong project, these commands could publish changes or submit builds unintentionally.
The references document commands that can publish OTA updates or submit builds to app stores. These are expected for an Expo shipping workflow, but they are high-impact external actions.
eas update --branch production --message "fix login button" ... eas submit --profile production --platform ios ... eas submit --profile production --platform android
Treat build, update, metadata push, deploy, and submit commands as approval-required actions and verify the target account, project, branch, and profile before running them.