← Back to Skills Marketplace
cancorleone

Cancorteaw App

by cancorleone · GitHub ↗ · v0.1.1
cross-platform ⚠ suspicious
618
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install cancorteaw-app
Description
Manage Expo React Native apps on OpenClaw: create apps, add screens, start web previews on localhost, and check preview status safely within /home/patron/apps.
README (SKILL.md)

cancorteaw-app

Local Expo / React Native app builder runner for my OpenClaw server.

This skill is a controlled runner that only executes an allowlisted script: /home/patron/apps/_bin/appctl
and that script is restricted to operate under: /home/patron/apps/\x3Cproject>.

What it does

This skill wraps appctl to provide a safe, repeatable workflow:

  • Create a new Expo app scaffold under /home/patron/apps/\x3Cname>
  • Add a screen file under /home/patron/apps/\x3Cname>/app/\x3CScreen>.tsx
  • Start a web preview (expo start --web) bound to 127.0.0.1 on a chosen port
  • Check status of the preview process

Commands

1) Create a new app

Command:

  • new \x3Cname>

Example:

  • new demoapp

Result:

  • Creates /home/patron/apps/demoapp
  • Initializes git (best-effort)
  • Uses npx create-expo-app in non-interactive mode

2) Add a screen

Command:

  • add-screen \x3Cname> \x3CscreenName> \x3Ctitle>

Example:

  • add-screen demoapp Settings "Settings"

Result:

  • Writes: /home/patron/apps/demoapp/app/Settings.tsx
  • Makes a git commit (best-effort)

3) Start web preview

Command:

  • preview \x3Cname>

Environment:

  • EXPO_PORT (optional): override preview port
    Default: 19006

Example:

  • preview demoapp
  • EXPO_PORT=19010 preview demoapp

Result:

  • Starts npx expo start --web --port \x3Cport>
  • Writes logs to: /home/patron/apps/_logs/\x3Cname>.preview.log
  • Writes pid to: /home/patron/apps/_state/\x3Cname>.pid
  • Writes port to: /home/patron/apps/_state/\x3Cname>.port

4) Status

Command:

  • status \x3Cname>

Example:

  • status demoapp

Result:

  • Prints RUNNING with URL if process is alive
  • Otherwise prints STOPPED

Safety / Guardrails

  • The runner is allowlisted: only node, npm, npx, git, bash, python3 can be invoked.
  • All project paths are constrained to /home/patron/apps.
  • Preview binds to 127.0.0.1 (loopback). Expose it externally only via explicit SSH tunnel if desired.
  • Telemetry is disabled for Expo in preview (EXPO_NO_TELEMETRY=1).

Troubleshooting

  • If preview says running but page doesn’t load: check the log file in /home/patron/apps/_logs/.
  • If a port is busy: set EXPO_PORT to a free port and re-run preview.
  • To stop preview: kill $(cat /home/patron/apps/_state/\x3Cname>.pid) (if pid exists).
Usage Guidance
This skill appears to do what it says (manage Expo apps), but it relies on executing /home/patron/apps/_bin/appctl that is not included in the skill. Before installing or enabling it: 1) Inspect the file /home/patron/apps/_bin/appctl (and ensure it is the intended, auditable script). 2) Verify file ownership/permissions so untrusted users cannot replace it. 3) Confirm the host user account that will run the skill is non-privileged and that /home/patron/apps is writable only by trusted accounts. 4) Be aware that npx/npm will download packages from the network (supply-chain risk); consider restricting network access or running in an isolated environment. 5) If you cannot review or lock down appctl, treat the skill as risky because it can execute arbitrary commands on the host.
Capability Analysis
Type: OpenClaw Skill Name: cancorteaw-app Version: 0.1.1 The skill is classified as suspicious because the core `appctl` script, which is responsible for all command execution and input sanitization, is not provided for review. The `skill.json` entrypoint directly passes raw user input (`{{args}}`) to this unseen script, which then performs high-risk operations like executing `npx` commands and writing files. While `SKILL.md` claims robust safety measures (allowlisting, path constraints), these are unverifiable without the `appctl` script, creating a significant potential for shell injection, path traversal, or arbitrary code execution if `appctl` is vulnerable. This represents a critical vulnerability rather than clear malicious intent in the provided files.
Capability Assessment
Purpose & Capability
Name/description (Expo/React Native app runner) align with the documented actions (create app, add screen, start preview). However the skill.json entrypoint runs /home/patron/apps/_bin/appctl on the host — a script outside the skill bundle — so the runtime behavior depends entirely on that external script's contents rather than the packaged skill.
Instruction Scope
SKILL.md describes file writes under /home/patron/apps, running npx/create-expo-app and npx expo start (which will download packages), creating pids/logs, and recommends kill commands. It also claims an allowlist and path constraints, but those are descriptive only: the skill provides no enforcement mechanism. Because the agent will execute the host script, that script could read or modify other files or run arbitrary commands if tampered with.
Install Mechanism
Instruction-only skill with no install spec and no bundled code — lowest install risk. The runtime still invokes npx/npm which downloads packages from the network when creating or running projects (expected behavior for Expo development).
Credentials
The skill declares no required env vars or credentials. SKILL.md notes EXPO_PORT (optional) and sets EXPO_NO_TELEMETRY in preview — these are proportional to the stated functionality and do not request secrets.
Persistence & Privilege
always:false (good), but the skill's entrypoint executes a host-local script (/home/patron/apps/_bin/appctl). Because the script is not bundled or validated, an attacker with write access to that path could make the skill execute arbitrary code. The skill also creates processes, pid files, and log files under /home/patron/apps which could be abused if the runner script is malicious or compromised.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install cancorteaw-app
  3. After installation, invoke the skill by name or use /cancorteaw-app
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
- Added initial SKILL.md documentation describing the cancorteaw-app skill. - Outlines commands for creating a new Expo app, adding screens, starting a web preview, and checking preview status. - Details safety guardrails, restricted script execution, and troubleshooting steps. - Specifies allowed commands, directory constraints, and environment variables for safe operation.
Metadata
Slug cancorteaw-app
Version 0.1.1
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Cancorteaw App?

Manage Expo React Native apps on OpenClaw: create apps, add screens, start web previews on localhost, and check preview status safely within /home/patron/apps. It is an AI Agent Skill for Claude Code / OpenClaw, with 618 downloads so far.

How do I install Cancorteaw App?

Run "/install cancorteaw-app" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Cancorteaw App free?

Yes, Cancorteaw App is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Cancorteaw App support?

Cancorteaw App is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Cancorteaw App?

It is built and maintained by cancorleone (@cancorleone); the current version is v0.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments