by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to check before installing:
- Clarify build environment requirements: ask the publisher whether the skill expects Xcode, xcodebuild, or other local build tools and whether it will run compilation in your environment. If it does, ensure your environment has those tools and that you consent to builds running.
- Ask about Apple Developer credentials and entitlements: push notifications, iCloud sync, and App Store provisioning require developer account certificates/profiles. The skill currentl...详细分析 ▾
ℹ 用途与能力
The skill's stated purpose (generate SwiftUI iOS apps from PRDs) is consistent with the SKILL.md content: project layout, models, viewmodels, views and features are all about producing iOS code. However the skill also claims to verify that code compiles and to implement features that require Apple platform entitlements (push notifications, iCloud sync, provisioning). The skill declares no required binaries (Xcode/xcbuild) and no environment variables or credentials (Apple Developer account), which is inconsistent with the claimed compile-and-deploy-style capabilities.
ℹ 指令范围
Instructions are focused on code generation and state that the project will be created under dev-output/, compiled/verified, and then the skill will trigger qa-skill with the generated code. The instructions do not instruct reading unrelated system files or secrets, but they do direct the agent to send generated code to another skill (qa-skill). That cross-skill data flow is expected for a pipeline but is a potential privacy/exfiltration vector unless you trust qa-skill. The compile/verify step implies executing build tools which are not declared in requirements.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files — lowest install risk. Note: because it promises to verify compilation, practical use will require Xcode/command-line build tools in the runtime environment; there is no install guidance for those tools.
⚠ 凭证需求
The skill requests no environment variables or credentials, yet its feature list includes push notifications, iCloud sync, and verifying builds — all of which normally require Apple Developer account access, provisioning profiles, certificates, or a local Xcode toolchain. The absence of any declared credentials or config paths is disproportionate to the claimed functionality and should be clarified.
ℹ 持久化与权限
always:false and no special persistence are fine. The skill does write output to dev-output/ and autonomously triggers qa-skill with generated code; autonomous triggering of another skill can expose generated source to that downstream skill. This is expected pipeline behavior but increases data-sharing risk; consider requiring user confirmation before triggering QA/other skills.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/20
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install dev-skill
镜像加速npx clawhub@latest install dev-skill --registry https://cn.longxiaskill.com