ClawHub
Back to skill
v0.1.0

Vue Expert

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:57 AM.

Analysis

This looks like a normal Vue development guidance skill, with only copied-example risks around setup commands and app credentials or tokens.

GuidanceThis appears safe to use as an instruction-only Vue guidance skill. When copying generated examples, manually review any npm/npx commands, Sentry tokens, session cookies, token persistence, service workers, and device-permission code before adding them to a real project.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
references/mobile-hybrid.md
npm init quasar ... npx cap add android ... npx cap sync

The reference includes shell commands for Quasar and Capacitor project setup. They are relevant to the stated mobile/hybrid Vue purpose and are presented as user-directed examples, not as automatic skill execution.

User impactIf a user copies and runs these commands, they can install dependencies and add native platform files to the current project.
RecommendationRun setup commands only in the intended project directory, review package prompts, and understand platform permissions before proceeding.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/build-tooling.md
authToken: process.env.SENTRY_AUTH_TOKEN

The build tooling reference shows an external Sentry integration using an auth token and source-map upload configuration. This is purpose-aligned build guidance, but it involves project credentials if used.

User impactIf copied into a real project, builds may authenticate to Sentry and upload source maps, which can expose source structure to that configured service.
RecommendationUse least-privilege tokens, keep them in environment variables, and confirm that uploading source maps is appropriate for the project.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/state-management.md
persist: { key: 'auth-storage', storage: sessionStorage, paths: ['token'] }

The Pinia persistence example stores an auth token in browser sessionStorage. This is a common app pattern, but auth token persistence is sensitive and should be deliberate.

User impactIf copied into an application, an authentication token may remain available in browser storage for the session.
RecommendationAvoid persisting sensitive tokens unless necessary, prefer secure server-managed sessions where possible, and scope persistence to the minimum required data.