Fe Cli
PassAudited by ClawScan on May 13, 2026.
Overview
This is a coherent frontend scaffolding skill with disclosed project-generation behavior, but users should review the generated dependency, token-storage, logging, and Electron auto-update defaults.
Install or run this only in a new project directory you control. Review the generated package.json, dependency approvals, .env files, Electron update settings, auth-token storage, and logging/export code before using it in production.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the generated project may execute third-party package build scripts from the JavaScript ecosystem.
The generated projects rely on pnpm dependency installation and may pre-approve specified native dependency build scripts. This is common for frontend scaffolding but is still supply-chain-sensitive.
包管理器:始终使用 pnpm ... 在 package.json 中使用 `pnpm.onlyBuiltDependencies` 自动批准原生构建(如 `@parcel/watcher`)。
Review package.json, pnpm lockfiles, and onlyBuiltDependencies before running pnpm install, especially in sensitive environments.
If enabled and configured, the generated desktop app can later receive executable updates from the configured update source.
The Electron template includes a disclosed auto-update mechanism that periodically checks for updates and can install downloaded app updates on quit.
Auto Update: Yes (default) / No ... autoUpdater.autoInstallOnAppQuit = true; ... setInterval(() => autoUpdater.checkForUpdatesAndNotify(), 4 * 60 * 60 * 1000);
Disable auto-update if not needed, replace placeholder update URLs, use HTTPS and signed releases, and make update installation explicit for production apps.
A generated app using this pattern could expose tokens if it later has XSS vulnerabilities or misconfigured API endpoints.
The generated API wrapper reads an auth token from browser localStorage and attaches it to outgoing API requests, which is expected for an app template but credential-sensitive.
const TOKEN_KEY = 'auth_token'; ... return localStorage.getItem(TOKEN_KEY); ... Authorization: `Bearer ${token}`For sensitive applications, consider httpOnly secure cookies or stricter token handling, and verify VITE_API_BASE_URL before production use.
Future AI agents may rely on .ai/PROJECT.md, and application logs could retain data that developers accidentally log.
The skill creates persistent AI-readable project context and logging/export templates. These are disclosed and useful, but they can retain or influence future project context.
generate `.ai/PROJECT.md` ... This file is for AI agents to quickly understand the project ... `logger.ts` ... 持久化 ... `log-export.ts` ... 日志导出(下载 .log/.json)+ 上报(待定)
Review .ai/PROJECT.md and log-export behavior before committing or deploying; do not place secrets in AI docs, logs, or generated env files.