ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shadcn Code Review

v1.1.0

Reviews shadcn/ui components for CVA patterns, composition with asChild, accessibility states, and data-slot usage. Use when reviewing React components using...

0· 47·0 current·0 all-time
byKevin Anderson@anderskev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and included reference files (CVA patterns, composition, accessibility, data-slot) align: the skill is an instruction-only code-review checklist for shadcn/ui React components and does not request unrelated binaries, env vars, or credentials.
!
Instruction Scope
The SKILL.md review checklist and references are scoped to component patterns and accessibility and do not request secrets or system files. However, the runtime instructions include: "Load and follow [review-verification-protocol](../review-verification-protocol/SKILL.md) before reporting any issue." That reference points to a path outside the skill manifest (a parent directory). Instructing the agent to load an external/parent SKILL.md could cause it to execute or follow additional instructions not visible in this package; this is a potential escalation of scope and should be inspected before use.
Install Mechanism
No install spec and no code files to execute — the skill is instruction-only, which is the lowest-risk installation model.
Credentials
The skill declares no required environment variables, credentials, or config paths and the instructions do not reference any secrets or unrelated environment variables.
Persistence & Privilege
always is false, the skill is user-invocable and uses the platform default for autonomous invocation. It does not request persistent presence or system-wide config changes.
What to consider before installing
This skill is largely coherent and appears to be a helpful, instruction-only checklist for reviewing shadcn/ui components. The main risk is the SKILL.md line that tells the agent to "Load and follow ../review-verification-protocol/SKILL.md" — that file is outside the packaged references and could contain additional instructions that change behavior. Before installing or enabling this skill: 1) Inspect the referenced review-verification-protocol file (if available) to confirm it doesn't direct the agent to read unrelated files, exfiltrate data, or use credentials. 2) If you cannot view that file, treat the skill as untrusted or run it in a sandboxed/testing agent first. 3) Confirm there are no external network endpoints or install steps hidden in the referenced protocol. If those checks are clean, the skill itself is low-risk and consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk973vpdp9g96dpja2har8jn4qd83qfea

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments