Skillv1.0.0

ClawScan security

Design Style · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 5:35 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions mostly match a design-style helper, but embedded 'role' prompts and an explicit instruction to trigger proactively (plus a 'system-prompt-override' pre-scan hit) are concerning and merit review before installing.
Guidance: This skill appears to do what it claims (provide design-system prompts used to generate styled frontend code), but there are two things to double-check before installing or enabling it widely: 1) Review the prompt files and scripts yourself (or ask the publisher): many files include <role> sections that set assistant behavior. Ensure those are harmless design instructions and do not contain hidden directives that could alter policy/safety behavior or instruct the agent to exfiltrate data or ignore safeguards. 2) Beware of the 'trigger proactively' instruction in SKILL.md: the skill asks to be invoked for ANY frontend/UI mention. If you do not want this skill to run broadly or autonomously, restrict its invocation (do not enable always/autonomous invocation, limit eligibility rules, or require explicit user confirmation before use). Optional extra steps: inspect scripts/verify-skill.sh and scripts/list-styles.sh to confirm they don't call external URLs or execute unexpected commands; search the prompt files for URLs, inline data-URIs, or any commands that ask for secrets or to access remote services. If you lack time or expertise, treat this skill as 'review before enabling' and prefer enabling it only on-demand.
Findings: [system-prompt-override] unexpected: The pre-scan flagged 'system-prompt-override' in SKILL.md (and many prompt files contain <role> blocks telling the assistant 'You are an expert...'). Using role-like blocks inside prompt templates is common for design/style templates, but this pattern can be used to attempt to override or shift the assistant's system-level behavior. That makes the finding relevant and not purely expected.

Review Dimensions

Purpose & Capability: okName/description match the actual contents: many design-system prompt files and a mapping JSON are present and the runtime instructions only read local prompt files to produce design guidance. No unrelated binaries, env vars, or external installs are requested — this aligns with the stated purpose.
Instruction Scope: concernSKILL.md instructs the agent to Read prompts/<StyleName>.md and to proactively trigger for ANY frontend/UI work. The prompt files contain embedded <role> blocks that set assistant persona/behavior (effectively injecting system-like instructions). While such prompt templates are expected for a design system, the presence of system-prompt-override patterns and the explicit 'trigger proactively' guidance broaden the agent's authority and could be used to change model behavior beyond narrowly handling a user request.
Install Mechanism: okThis is instruction-only (no install spec). Two small scripts and prompt files are included but there is no download/extract/install mechanism. No external binaries or third-party package installs are declared.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The declared capabilities (Read/Glob/Grep) match the need to load local prompt files; no unrelated secrets or services are requested.
Persistence & Privilege: notealways:false and no persistent install are present. However the SKILL.md's instruction to 'trigger this skill proactively for ANY frontend/UI work' attempts to broaden when the skill should run. Because the platform allows autonomous invocation by default, this recommendation increases the chance the skill will run widely — combine that with the embedded role prompts and the risk grows. The skill does not itself request always:true or system-wide config changes.