WPS Web Builder
PassAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts describe a normal web-project builder, but it will write project files, install/run dependencies, store a plan file, and start a local development server.
This appears suitable for building web projects if you run it in the correct folder. Before installing generated dependencies or leaving the preview server running, review the generated files and stop any background server when you are done.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated web projects may run npm, pip, or npx commands on the local machine.
The workflow directs the agent to install dependencies, run builds, and start a server. This is expected for a web-builder skill, but it means local commands and dependency scripts may execute.
全部代码写完后,统一安装依赖并验证项目能否正常运行... 执行构建... 启动开发服务器
Use it in a trusted project directory, review generated package files before installation, and rely on normal command-approval prompts where available.
Installing the generated project may fetch and run third-party package code.
The skill generates projects that depend on external JavaScript or Python packages. This is purpose-aligned, but the visible artifacts do not provide pinned dependency locks.
技术栈:Next.js 15 (App Router) + Tailwind + shadcn/ui + Prisma ... 安装依赖 ... Python 后端用 pip install
Review dependencies, prefer lockfiles or pinned versions for real projects, and avoid installing generated dependencies in sensitive environments without review.
Project details may remain on disk and may shape later work if the skill is invoked again in the same directory.
The skill stores and later reuses project requirements and progress from a local plan file. This is useful persistence, but stale or externally edited plan content can influence future runs.
查找:当前工作目录下的 .web-builder/plan.md ... 文件已存在:读取内容,告诉用户上次做到哪了,从当前阶段继续。
Review or delete .web-builder/plan.md when switching projects, and treat plan files from untrusted repositories as untrusted input.
A preview server may keep running after the build task and could be reachable from the local machine or network depending on how it is started.
The delivery checklist expects a development server to remain running in the background and to provide access links. This is normal for previewing a web app, but it is a persistent local process.
- [ ] 开发服务器保持后台运行 - [ ] 本地访问链接已输出(Markdown 超链接格式) - [ ] 局域网访问链接已输出(Markdown 超链接格式)
Stop the development server when finished, and avoid serving sensitive data from preview apps unless you understand the network exposure.