ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Audit App Store Readiness

v1.0.0

Audit an iOS app repo (Swift/Xcode or React Native/Expo) for App Store compliance and release readiness; output a pass/warn/fail report and publish checklist.

0· 1.9k·2 current·2 all-time
byTristan Manchester@tristanmanchester
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (iOS/App Store readiness) align with the included files and runtime requirements. The skill only requires git and contains a Node script and supporting reference docs that perform static repo inspection, plist parsing, and optional Xcode build checks—all appropriate for an audit tool.
Instruction Scope
SKILL.md instructs the agent to run the bundled audit.mjs script and to prefer read-only checks. It explicitly marks mutating operations (dependency installs, expo prebuild, signing, xcodebuild archive) as MUTATING and states they should only run with explicit user consent. The instructions reference only repo files and local developer tools; they do not direct data to any external network endpoint.
Install Mechanism
No install spec is provided (instruction + bundled script only). That is low-risk: nothing is downloaded or extracted at install time and the only runtime dependency is Node (for running the script) and git which are reasonable for this task.
Credentials
The skill requests no environment variables, no credentials, and no config paths. It does use local tools if present (plutil, python, xcodebuild) for higher-confidence parsing/build checks, which is proportional to its stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent privileges or modify other skills. It does describe a 'fix mode' that proposes and applies patches (via an agent action like apply_patch) — this is normal for a repo-editing helper but should only be used when the user explicitly requests changes.
Assessment
This skill is coherent and appears to do what it says: static auditing of iOS/React Native/Expo repos with optional build checks. A few practical points before you run it: (1) By default it is read-only, but it can run mutating commands (npm/pod installs, xcodebuild archive, expo prebuild) and apply patches if you ask—review any proposed patches before applying. (2) Build-accuracy checks require macOS/Xcode; on non-mac machines the tool will fall back to static checks and mark build status as WARN. (3) The script reads repository files (including any committed secrets); do not run it on repos containing sensitive credentials you don't want inspected. (4) The tool executes local binaries (git, plutil, python, xcodebuild) — their presence affects behavior. (5) SKILL.md does not include any network endpoints; however, if you run the audit inside an agent with external network access, the generated report could be transmitted by the agent itself — ensure your agent's policies around data transmission are acceptable. If you want higher assurance, inspect the proposed patches and run the script in a sandbox or CI environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk979s48bm6xme67re463t5vh0h80ew5n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧾 Clawdis
Binsgit

Comments