glmv-prd-to-app
Security checks across malware telemetry and agentic risk
Overview
The visible artifacts show a coherent app-building skill, with the main caution that one helper may install Playwright and Chromium at runtime for screenshot testing.
This skill appears suitable for a project workspace where you intend the agent to read PRDs, prototypes, and resources and generate a full app. Before use, keep unrelated private files out of /workspace, expect local project files to be created or changed, and run the helper scripts in an isolated environment if you do not want runtime package/browser installation to affect your system.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The first screenshot run may modify the Python environment and download browser components.
The screenshot helper downloads and installs Playwright and a Chromium browser at runtime if Playwright is not already available.
subprocess.run([sys.executable, "-m", "pip", "install", "playwright"], check=True) subprocess.run([sys.executable, "-m", "playwright", "install", "chromium"], check=True)
Run this in an isolated project environment or preinstall/pin Playwright and Chromium if reproducibility or dependency control matters.
If pointed at a real external service instead of a local development app, the helper could send test requests or POST bodies to that service.
The API-checking helper can send user-specified HTTP methods and request bodies to a caller-provided base URL.
parser.add_argument("--base-url", required=True, help="Base URL for API") ... req = urllib.request.Request(url, data=data, method=method)Use the API checker only with intended local or development URLs, and review any endpoints file before running requests that use methods such as POST.