ClawHub

Extract Design System

v0.1.9

Extract design primitives from a public website and generate starter token files for your project.

1· 19·0 current·0 all-time
byArvind Ram Singh Kishore@arvindrk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description match the runtime instructions: it extracts design primitives from a public website and produces starter token files. One minor inconsistency: the skill metadata declares no required binaries, but the SKILL.md instructs the agent/operator to run npx and playwright (i.e., Node/npm present). Expectation of Node/npm and network access should be documented but is not declared.
Instruction Scope
The instructions stay within the stated purpose: confirm the target URL is public, run the extraction CLI (via npx), and review the generated JSON/CSS token files. The SKILL.md explicitly warns to treat extracted outputs as untrusted and to ask before modifying existing project files, which limits scope creep. The skill does involve fetching and rendering third-party site content (via a headless Chromium), so the agent/operator should treat that content as untrusted input.
Install Mechanism
There is no install spec in the registry (instruction-only). Runtime instructions use npx to run packages (npx extract-design-system and npx playwright install chromium). npx dynamically downloads and executes packages from npm, and playwright downloads Chromium — this is common but carries moderate risk because code and binaries are fetched at runtime from external registries. The SKILL.md does not pin or document the package origin/version; that reduces transparency.
Credentials
No environment variables, credentials, or config paths are requested. The skill operates on public URLs only and does not ask for unrelated secrets, which is proportionate to its purpose.
Persistence & Privilege
The skill does not request permanent/always-on presence (always:false) and is invocable by the user. It does not claim to modify other skills or system settings. Generated files are written to project-local paths as described; the SKILL.md instructs to ask before modifying existing app code.
Assessment
This skill appears to do what it says: render a public page and produce starter design token files. Before running it, confirm you have Node/npm/npx installed and be aware that npx will fetch and execute packages from the npm registry (and Playwright will download Chromium). To reduce risk: (1) verify the exact npm package name/version you will run (avoid running unfamiliar or unpinned package names), (2) run the extraction in a sandbox/container or on a machine you can revert, (3) inspect .extract-design-system/raw.json and .extract-design-system/normalized.json before applying any generated tokens to your codebase, (4) do not run this against private or authenticated internal sites (it expects public URLs), and (5) if you plan to automate this, consider installing the CLI from a trusted source or auditing the package source code first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bg8x6g8ssnskd1sgmzd5pr18471m0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments