ClawHub
Back to skill

Security audit

UI Craft Pro

Security checks across malware telemetry and agentic risk

Overview

This is a local UI design helper skill with purpose-aligned search and design-system generation, not evidence of malware or hidden data access.

Install only if you want a local UI-design knowledge base that may guide generated code and, when explicitly requested, write design-system markdown files into your project. Review generated visual recommendations for inclusivity and brand fit before using them in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file contains an instruction to enforce a specific output language without any user opt-in. In an agent skill, hidden prompt-level language steering can override user intent, reduce reliability, and act as a prompt injection primitive by altering downstream model behavior in ways the user did not request.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The CSV contains a fallback rule written in Chinese ('当默认列表中没有合适图标时...'), which can cause the agent to emit or prioritize Chinese-language guidance even when the user did not request that language. In a UI/code-generation skill, this can degrade reliability, confuse downstream prompting, and create prompt-injection-like behavior where embedded content overrides the expected language of interaction.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The entry for childcare/daycare uses explicitly gendered defaults ('baby pink/sky blue') as a normative UI recommendation without offering neutral alternatives or context. In a skill that guides design and implementation decisions, this can propagate biased defaults into generated products, excluding users and creating discriminatory or culturally insensitive outcomes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal