Back to skill
Skillv0.1.0
ClawScan security
Ui Design · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 1:37 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent for generating UI mockups using a local 'core' image-generation primitive, but there is a minor mismatch between the description (mentions muapi.ai) and the actual implementation (calls a local core/media/generate-image.sh with model 'flux-dev'); no excessive credentials or risky installs are requested.
- Guidance
- This skill appears to do what it says: convert a product brief into a UX prompt and call the agent platform's image-generation primitive. Before installing, verify two small things: (1) Clarify the 'muapi.ai' mention — confirm whether an external API or API key is actually required (none are declared), and (2) confirm what the core/media/generate-image.sh primitive does on your platform (network calls, external providers, or data retention policies). Also avoid sending sensitive or proprietary data in prompts, as the script forwards the UX brief to a model for image generation.
Review Dimensions
- Purpose & Capability
- noteThe skill's stated purpose is UI/UX mockup generation. The included script and SKILL.md implement that: they build a UX brief and call a core image-generation primitive. However the description mentions 'muapi.ai' as the generator, while the script calls a local core/media/generate-image.sh with model 'flux-dev' — a superficial mismatch that should be clarified but does not indicate malicious behavior.
- Instruction Scope
- okSKILL.md instructs the agent to expand the user's brief into a structured UX_BRIEF and then run the provided script. The instructions do not request reading unrelated files, environment variables, or external endpoints beyond the core primitive, and the script only constructs a prompt and forwards it to core/media/generate-image.sh.
- Install Mechanism
- okNo install spec is provided (instruction-only plus a small helper script). Nothing is downloaded or written to disk by an installer, which is the lowest-risk model for skills.
- Credentials
- noteThe skill requests no environment variables or credentials, which matches its stated functionality. The description's reference to muapi.ai could imply an external API or credential requirement, but no such vars are declared or used in the code — clarify whether muapi.ai is an implementation detail of the platform or an outdated note.
- Persistence & Privilege
- okThe skill does not request always:true and has no install-time persistence. It merely invokes a local core primitive; it does not modify other skills or system-wide configuration.