Epic Design
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (you-are-now); human review is required before treating this skill as clean.
This skill appears reasonable to install if you want a motion-heavy cinematic web-design assistant. Before using it on sensitive client work, review the helper scripts, run asset inspection only on intended files, and clearly state if you want restrained motion or a simpler static design. ClawScan detected prompt-injection indicators (you-are-now), so this skill requires review even though the model response was benign.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may push animated, premium-style designs even when a minimal design would be more appropriate.
The skill strongly biases the agent toward cinematic animation for broad web-design tasks. This is consistent with the skill purpose, but it may overrule a user's preference for a simpler or static design if not checked.
Use aggressively for ANY web design task. ... Never build a flat, static page when this skill is active.
Use this skill when you want cinematic motion effects, and explicitly tell the agent if you want a simple, static, or accessibility-first design.
The skill may process your uploaded images with included helper scripts before generating the design.
The skill directs the agent to execute a local helper script against provided image assets. This is purpose-aligned for asset inspection, but it is still local code execution.
Run `scripts/inspect-assets.py` on every image the user has provided.
Run the skill only on intended project assets, and review or approve helper script execution if your agent environment supports that.
You may have less external provenance information for the helper scripts and their runtime assumptions.
The skill has local helper scripts but limited source/homepage provenance and no install/runtime declaration. This is not malicious evidence, but it reduces setup transparency.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill. Code file presence: 2 code file(s): scripts/inspect-assets.py, scripts/validate-layers.js
Inspect the included scripts in your installed copy before use, especially if running them on private or client assets.
Information or instructions in those context files may shape the generated website plan and code.
The skill instructs the agent to use local project context files as task context. This is scoped and purpose-aligned, but those files can influence the agent's design decisions.
If `project-context.md` or `product-context.md` exists, read it before asking questions. Use that context...
Keep only intended project information in those files and avoid placing secrets or untrusted instructions there.