ClawHub

Webflow Designer Extension

Security checks across malware telemetry and agentic risk

Overview

This is a coherent documentation skill for building Webflow Designer Extensions, with only normal development and example-code risks to review.

Before installing, treat this as a developer reference: review commands before running package-manager installs, use a dedicated Webflow development workspace or test site, never share production API keys or real user credentials, and replace placeholder remote image fetches with approved assets for production extensions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs developers to provide Webflow reviewers with test credentials, including examples such as API keys and login details, but does not warn against sharing production secrets or describe a secure secret-sharing process. This can lead authors to expose long-lived or privileged credentials in insecure channels, increasing the risk of unauthorized access to backend services, third-party integrations, or user data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example performs unsolicited external fetches to picsum.photos and then uploads the returned content into the user's Webflow project, causing third-party network access and data transfer without any disclosure, consent step, or trust guidance. In a designer-extension context, users may copy this pattern directly into production extensions, which normalizes silent external dependencies and can create privacy, compliance, and supply-chain risk even if the sample itself is not overtly malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal