ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

glmv-prd-to-app

v1.0.1

Build a complete, production-ready full-stack web application from PRD documents, prototype images, and resource files. Handles the entire pipeline: system d...

0· 157·0 current·0 all-time
by@zai-org
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with included assets and scripts: design, seed data guidance, API checks, page rendering and server-wait helpers are appropriate for a PRD→app builder. There are no unrelated requested env vars, system paths, or binaries in the registry metadata.
Instruction Scope
SKILL.md confines work to project materials under /workspace (prd.md, prototypes, resources) and describes detailed, explicit steps (design.md, seed generation, mapping prototypes to data). The scripts operate on URLs and local files relevant to building and verifying the app. There is no instruction to read unrelated system files or to exfiltrate unspecified data.
Install Mechanism
No formal install spec in the registry, but scripts (render_page.py) perform runtime dependency installation via pip ( installs playwright and downloads browser binaries ). That implies network downloads and writing browser executables to disk at runtime. This is functionally expected for automated screenshotting but increases runtime risk compared to purely instruction-only skills.
Credentials
The skill declares no required environment variables or credentials. The scripts take user-supplied base URLs, endpoints, and file paths — which is proportional to testing and rendering a built app. There are no demands for unrelated secrets or cross-service tokens.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or agent-wide config based on the provided files. Its runtime behavior writes artifacts into the /workspace project area (expected for build/test tasks).
Assessment
This skill appears to do what it says, but review and run with care: 1) render_page.py will pip-install Playwright and download browser binaries at runtime — expect network downloads and disk writes; consider running in an isolated container or VM. 2) The helper scripts accept arbitrary URLs and will make HTTP requests (use caution to avoid scanning internal services or exposing sensitive endpoints). 3) Inspect any generated /workspace/start.sh and other auto-generated scripts before executing them to confirm they do not run unexpected external commands. 4) If you need stricter controls, run the skill on a copy of your project without secrets and verify outputs manually before deploying to production.

Like a lobster shell, security has layers — review code before you run it.

latestvk970sz9hqbvbrmt9yqh3m4mbj583xxv9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments