← 返回 Skills 市场
cancorleone

Cancorteaw App

作者 cancorleone · GitHub ↗ · v0.1.1
cross-platform ⚠ suspicious
618
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install cancorteaw-app
功能描述
Manage Expo React Native apps on OpenClaw: create apps, add screens, start web previews on localhost, and check preview status safely within /home/patron/apps.
使用说明 (SKILL.md)

cancorteaw-app

Local Expo / React Native app builder runner for my OpenClaw server.

This skill is a controlled runner that only executes an allowlisted script: /home/patron/apps/_bin/appctl
and that script is restricted to operate under: /home/patron/apps/\x3Cproject>.

What it does

This skill wraps appctl to provide a safe, repeatable workflow:

  • Create a new Expo app scaffold under /home/patron/apps/\x3Cname>
  • Add a screen file under /home/patron/apps/\x3Cname>/app/\x3CScreen>.tsx
  • Start a web preview (expo start --web) bound to 127.0.0.1 on a chosen port
  • Check status of the preview process

Commands

1) Create a new app

Command:

  • new \x3Cname>

Example:

  • new demoapp

Result:

  • Creates /home/patron/apps/demoapp
  • Initializes git (best-effort)
  • Uses npx create-expo-app in non-interactive mode

2) Add a screen

Command:

  • add-screen \x3Cname> \x3CscreenName> \x3Ctitle>

Example:

  • add-screen demoapp Settings "Settings"

Result:

  • Writes: /home/patron/apps/demoapp/app/Settings.tsx
  • Makes a git commit (best-effort)

3) Start web preview

Command:

  • preview \x3Cname>

Environment:

  • EXPO_PORT (optional): override preview port
    Default: 19006

Example:

  • preview demoapp
  • EXPO_PORT=19010 preview demoapp

Result:

  • Starts npx expo start --web --port \x3Cport>
  • Writes logs to: /home/patron/apps/_logs/\x3Cname>.preview.log
  • Writes pid to: /home/patron/apps/_state/\x3Cname>.pid
  • Writes port to: /home/patron/apps/_state/\x3Cname>.port

4) Status

Command:

  • status \x3Cname>

Example:

  • status demoapp

Result:

  • Prints RUNNING with URL if process is alive
  • Otherwise prints STOPPED

Safety / Guardrails

  • The runner is allowlisted: only node, npm, npx, git, bash, python3 can be invoked.
  • All project paths are constrained to /home/patron/apps.
  • Preview binds to 127.0.0.1 (loopback). Expose it externally only via explicit SSH tunnel if desired.
  • Telemetry is disabled for Expo in preview (EXPO_NO_TELEMETRY=1).

Troubleshooting

  • If preview says running but page doesn’t load: check the log file in /home/patron/apps/_logs/.
  • If a port is busy: set EXPO_PORT to a free port and re-run preview.
  • To stop preview: kill $(cat /home/patron/apps/_state/\x3Cname>.pid) (if pid exists).
安全使用建议
This skill appears to do what it says (manage Expo apps), but it relies on executing /home/patron/apps/_bin/appctl that is not included in the skill. Before installing or enabling it: 1) Inspect the file /home/patron/apps/_bin/appctl (and ensure it is the intended, auditable script). 2) Verify file ownership/permissions so untrusted users cannot replace it. 3) Confirm the host user account that will run the skill is non-privileged and that /home/patron/apps is writable only by trusted accounts. 4) Be aware that npx/npm will download packages from the network (supply-chain risk); consider restricting network access or running in an isolated environment. 5) If you cannot review or lock down appctl, treat the skill as risky because it can execute arbitrary commands on the host.
功能分析
Type: OpenClaw Skill Name: cancorteaw-app Version: 0.1.1 The skill is classified as suspicious because the core `appctl` script, which is responsible for all command execution and input sanitization, is not provided for review. The `skill.json` entrypoint directly passes raw user input (`{{args}}`) to this unseen script, which then performs high-risk operations like executing `npx` commands and writing files. While `SKILL.md` claims robust safety measures (allowlisting, path constraints), these are unverifiable without the `appctl` script, creating a significant potential for shell injection, path traversal, or arbitrary code execution if `appctl` is vulnerable. This represents a critical vulnerability rather than clear malicious intent in the provided files.
能力评估
Purpose & Capability
Name/description (Expo/React Native app runner) align with the documented actions (create app, add screen, start preview). However the skill.json entrypoint runs /home/patron/apps/_bin/appctl on the host — a script outside the skill bundle — so the runtime behavior depends entirely on that external script's contents rather than the packaged skill.
Instruction Scope
SKILL.md describes file writes under /home/patron/apps, running npx/create-expo-app and npx expo start (which will download packages), creating pids/logs, and recommends kill commands. It also claims an allowlist and path constraints, but those are descriptive only: the skill provides no enforcement mechanism. Because the agent will execute the host script, that script could read or modify other files or run arbitrary commands if tampered with.
Install Mechanism
Instruction-only skill with no install spec and no bundled code — lowest install risk. The runtime still invokes npx/npm which downloads packages from the network when creating or running projects (expected behavior for Expo development).
Credentials
The skill declares no required env vars or credentials. SKILL.md notes EXPO_PORT (optional) and sets EXPO_NO_TELEMETRY in preview — these are proportional to the stated functionality and do not request secrets.
Persistence & Privilege
always:false (good), but the skill's entrypoint executes a host-local script (/home/patron/apps/_bin/appctl). Because the script is not bundled or validated, an attacker with write access to that path could make the skill execute arbitrary code. The skill also creates processes, pid files, and log files under /home/patron/apps which could be abused if the runner script is malicious or compromised.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install cancorteaw-app
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /cancorteaw-app 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
- Added initial SKILL.md documentation describing the cancorteaw-app skill. - Outlines commands for creating a new Expo app, adding screens, starting a web preview, and checking preview status. - Details safety guardrails, restricted script execution, and troubleshooting steps. - Specifies allowed commands, directory constraints, and environment variables for safe operation.
元数据
Slug cancorteaw-app
版本 0.1.1
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Cancorteaw App 是什么?

Manage Expo React Native apps on OpenClaw: create apps, add screens, start web previews on localhost, and check preview status safely within /home/patron/apps. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 618 次。

如何安装 Cancorteaw App?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install cancorteaw-app」即可一键安装,无需额外配置。

Cancorteaw App 是免费的吗?

是的,Cancorteaw App 完全免费(开源免费),可自由下载、安装和使用。

Cancorteaw App 支持哪些平台?

Cancorteaw App 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Cancorteaw App?

由 cancorleone(@cancorleone)开发并维护,当前版本 v0.1.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论