Skillv1.2.1

ClawScan security

Axure Prototype Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 24, 2026, 2:13 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to do what it claims (generate Axure-compatible JavaScript/HTML prototypes), requests no credentials or installs, and contains only static generator/example code — review generated JS before pasting into Axure.
Guidance: This skill appears coherent and low-risk, but take these precautions before using: 1) Inspect the generated JavaScript/HTML before pasting it into Axure — it will execute in your browser preview and can load external resources (e.g., ECharts CDNs) or run arbitrary JS. 2) Be cautious about pasting generated code into Axure projects that have access to sensitive data or authenticated sessions. 3) The skill advertises paid/locked features and an unknown author contact; do not share payment or account credentials with unverified parties. 4) If you require offline-safe prototypes, request an HTML-only output with no external network resources, or host libraries locally. If you want additional assurance, ask the author for the exact generated output for your scenario and review it for external script tags or network calls.

Purpose & Capability: okName/description (Axure prototype generator) match the included files and instructions: examples and a stock_monitor generator produce JavaScript-format HTML suitable for Axure inline frames. There are no unrelated environment variables, binaries, or cloud credentials requested.
Instruction Scope: noteSKILL.md stays on-purpose: it instructs the user to paste generated javascript:... code into an Axure inline frame or save as HTML. It does not instruct reading system files or env vars. Caution: generated code runs in the user's browser/preview context and may include references to external libraries (ECharts is advertised). Users should inspect generated code for external network loads or dynamic behaviors before pasting into production or sensitive environments.
Install Mechanism: okNo install spec is provided (instruction-only). The package contains example/generator JS files but nothing is automatically downloaded or installed by the skill itself, which is the lowest-risk pattern for installation.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The content and files do not reference secrets or system config, so requested access is proportionate to the stated purpose.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated platform privileges. It does not modify other skills or system settings according to the provided metadata.