Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lovable Dev
v1.0.1Lovable AI 全栈开发助手,精通自然语言建站、Supabase 集成、组件生成、一键部署
⭐ 0· 149·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims active capabilities (automatic GitHub sync, Supabase setup, one‑click deployment, domain assignment). However, the bundle is instruction-only and declares no required binaries, no env vars, and no install mechanism. If the skill truly performs remote operations it would need credentials and API access; their absence is a material mismatch between claimed purpose and the actual package.
Instruction Scope
SKILL.md is a role/prompt template that tells the agent to act as a Lovable full‑stack assistant and describes workflows and best practices. It does not instruct the agent to read system files, access environment variables, or call any external endpoints directly. That keeps the runtime instructions scoped to generation/assistance, but the prose implies automated actions (e.g., '自动同步代码到 GitHub') without specifying how to obtain or use credentials.
Install Mechanism
No install spec and no code files — lowest risk from installation. Nothing will be written to disk by an installer in this package.
Credentials
The skill requests no environment variables or credentials, yet describes features that would normally require GitHub and Supabase credentials and hosting API keys. Either the skill is only a guidance generator (in which case claims are overstated), or it expects the agent/user to provide secrets interactively — this missing justification for credential access is disproportionate to the claims.
Persistence & Privilege
always is false and there is no code that would persist or modify agent/system configuration. The skill does not request elevated or persistent privileges.
What to consider before installing
This package appears to be a prompt/instruction for an AI assistant rather than a plugin that actually performs remote actions. Before installing or trusting it: ask the publisher how GitHub/Supabase/deploy steps are executed (does the agent prompt for tokens? does it expect you to paste credentials?), do not paste secrets or tokens into chat prompts, prefer skills that explicitly declare required credentials and explain usage, and request a source/homepage or example run to verify whether it only generates code or actually performs deployments. If you need automated integration, use a skill or extension that documents its authentication flow and required permissions.Like a lobster shell, security has layers — review code before you run it.
latestvk9735nvxap8a9bgge2tz1q1f8x83d8pg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.