ClawHub

Ui Design Guide

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only UI design guidance skill with no hidden execution, credential access, persistence, or data-exfiltration behavior.

This skill is reasonable to install if you want agents to produce explicit UI design specifications before building interfaces. Review its strong style preferences first, because it may steer agents away from common fonts, colors, centered layouts, emoji icons, and quick implementation when a visual direction has not already been approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation contract uses broad cues such as requests involving design, prototypes, layout, typography, or style, which are common across many frontend tasks. This can cause the skill to activate when the user really needs implementation-focused guidance, leading to inappropriate instruction precedence and degraded task routing rather than direct code execution risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The phrase 'any development task involving user interfaces' makes the scope substantially overbroad, causing the skill to claim authority over nearly all frontend work. In an agent system, this can crowd out more specialized skills and misroute requests, which is dangerous because the skill imposes strong stylistic and process requirements that may conflict with user intent or other task-specific constraints.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The skill mandates an English-language 'DESIGN SPECIFICATION' format and fixed terminology without offering locale adaptation. This is risky in multilingual environments because it can reduce usability, cause misunderstanding of required outputs, and override user language preferences, though it is not a direct security compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal