Fe Cli
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: fe-cli Version: 0.1.16 The fe-cli skill bundle is a comprehensive frontend project scaffolding tool that automates the creation of React, Vue, Next.js, and Electron projects using pnpm and Vite. It provides well-structured templates for API handling, state management, and a custom logging service (services/logger.ts and services/log-export.ts). While the logging service includes a placeholder for remote log submission, it is designed as a standard developer utility for error reporting, defaults to sending only error-level logs, and includes explicit comments about stripping sensitive data, showing no evidence of malicious intent or unauthorized data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the generated project may execute third-party package build scripts from the JavaScript ecosystem.
The generated projects rely on pnpm dependency installation and may pre-approve specified native dependency build scripts. This is common for frontend scaffolding but is still supply-chain-sensitive.
包管理器:始终使用 pnpm ... 在 package.json 中使用 `pnpm.onlyBuiltDependencies` 自动批准原生构建(如 `@parcel/watcher`)。
Review package.json, pnpm lockfiles, and onlyBuiltDependencies before running pnpm install, especially in sensitive environments.
If enabled and configured, the generated desktop app can later receive executable updates from the configured update source.
The Electron template includes a disclosed auto-update mechanism that periodically checks for updates and can install downloaded app updates on quit.
Auto Update: Yes (default) / No ... autoUpdater.autoInstallOnAppQuit = true; ... setInterval(() => autoUpdater.checkForUpdatesAndNotify(), 4 * 60 * 60 * 1000);
Disable auto-update if not needed, replace placeholder update URLs, use HTTPS and signed releases, and make update installation explicit for production apps.
A generated app using this pattern could expose tokens if it later has XSS vulnerabilities or misconfigured API endpoints.
The generated API wrapper reads an auth token from browser localStorage and attaches it to outgoing API requests, which is expected for an app template but credential-sensitive.
const TOKEN_KEY = 'auth_token'; ... return localStorage.getItem(TOKEN_KEY); ... Authorization: `Bearer ${token}`For sensitive applications, consider httpOnly secure cookies or stricter token handling, and verify VITE_API_BASE_URL before production use.
Future AI agents may rely on .ai/PROJECT.md, and application logs could retain data that developers accidentally log.
The skill creates persistent AI-readable project context and logging/export templates. These are disclosed and useful, but they can retain or influence future project context.
generate `.ai/PROJECT.md` ... This file is for AI agents to quickly understand the project ... `logger.ts` ... 持久化 ... `log-export.ts` ... 日志导出(下载 .log/.json)+ 上报(待定)
Review .ai/PROJECT.md and log-export behavior before committing or deploying; do not place secrets in AI docs, logs, or generated env files.