Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Taro小程序开发技能
v1.0.1Taro + React + TypeScript 微信小程序开发框架技能。适用于:(1) 从零初始化 Taro 项目并编译为微信小程序;(2) 创建页面、组件、样式;(3) 搭建 services 请求层(接入真实后端或 Mock 数据);(4) 配置 TabBar、页面路由、设计系统。触发关键词:小程序开发、...
⭐ 0· 86·0 current·0 all-time
byxuyongliang@xuyongliang-eccom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Taro + React + TypeScript 小程序 开发) matches the included project template, page/component examples, services stubs, build/init scripts, and documentation. There are no environment variables, binaries, or config paths requested that are unrelated to initializing/building a Taro project.
Instruction Scope
SKILL.md provides concrete developer instructions (npx @tarojs/cli init, npm install, npm run dev/build) and references only project files and local mock/BASE_URL placeholders. It does not instruct reading unrelated system files, exfiltrating secrets, or posting data to unexpected external endpoints. The only external URLs are placeholder API/base URLs and image placeholders used in UI assets.
Install Mechanism
There is no install spec (instruction-only), so nothing is auto-downloaded during install. The skill contains a project template and shell scripts (init_project.sh, build_project.sh) that copy and modify files. Those scripts use standard cp/sed operations on local files; they do not fetch code from untrusted URLs or create nonstandard system binaries.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The code contains expected development placeholders (IS_MOCK, BASE_URL) and a test AppID ('touristappid') appropriate for development. No unrelated tokens/keys are requested.
Persistence & Privilege
always:false and model invocation are normal. The included init script will create a project directory (copies template to ../<project>) and uses sed to replace placeholders — this writes files to disk outside the skill folder when the script is run. This is expected for a project initializer but the user should be aware it will modify the filesystem in the working area where it's executed.
Assessment
This package appears to be a coherent Taro mini-program starter. Before running anything: 1) Review the template files and scripts (init_project.sh, build_project.sh) so you know what will be copied/modified and where (init script copies to ../<projectName>). 2) Run scripts from a controlled working directory to avoid accidentally creating files in an unexpected location. 3) Inspect and update placeholders: set IS_MOCK appropriately, change BASE_URL to your backend, and do not use 'touristappid' in production. 4) npm install will fetch third-party packages — check package.json versions for known vulnerabilities and run in a network/trusted environment. 5) The README suggests enabling '不校验合法域名' in the WeChat dev tools for development; only do this for local testing, not for production builds. If you want extra assurance, run the init steps manually rather than executing the provided shell scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk97dw2c2n0fy0926482mrpg93983qq89
License
MIT-0
Free to use, modify, and redistribute. No attribution required.