claw2ui
PassAudited by ClawScan on May 1, 2026.
Overview
Claw2UI’s artifacts are coherent for building and publishing web pages, but users should remember that published content goes to a public URL and relies on an external CLI/service.
Install only if you are comfortable using the external Claw2UI CLI/server. Before publishing, review the generated page, remove private data, confirm the public URL action, use TTLs for temporary content, protect ~/.claw2ui.json, and keep any self-hosted backup dataset private.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything included in the generated dashboard or report may be visible to anyone with the published link.
Publishing to a public URL is central to the skill and clearly disclosed, but it is a sensitive action if the page includes private or confidential data.
Every published page is accessible via a public URL. Never publish without explicit user approval.
Only publish after reviewing the content, remove secrets or personal data, and use a TTL for temporary or sensitive pages.
A local token file can grant access to the configured Claw2UI server if another process or person reads it.
The skill stores an authentication token locally so the CLI can publish to the configured server; this is disclosed and expected for the workflow.
Writes ~/.claw2ui.json (server URL and API token for authentication)
Protect ~/.claw2ui.json, avoid sharing it, and revoke or rotate the token if it may have been exposed.
The actual executable behavior comes from the external CLI package rather than code included in this skill artifact.
The reviewed artifact is instruction-only and relies on an external claw2ui CLI installation, so users should verify the npm package and source before installing.
Code file presence: No code files present — this is an instruction-only skill. Required binaries (all must exist): node, claw2ui
Install only from the expected npm package/source, review the linked repository if needed, and keep the CLI updated from trusted channels.
If self-hosted backup is enabled, page content and token metadata are stored in an external dataset and could be exposed if the dataset is public or misconfigured.
The self-hosting guide documents optional backup of page data and token metadata to a Hugging Face Dataset when backup environment variables are set.
When enabled, Claw2UI automatically: ... On mutation: debounced (5s) upload of pages and token metadata to `backup.json`
Use a private dataset for backups, limit HF token permissions, and avoid enabling backup for sensitive page content unless storage controls are understood.