Back to plugin

Security audit

Frontend Craft

Security checks across malware telemetry and agentic risk

Overview

Frontend Craft is a coherent frontend workflow plugin with purpose-aligned file writes, formatting hooks, and optional local diagram tooling, but users should understand those workspace effects before enabling it.

Install only if you want broad frontend workflow assistance. Review the config flags, especially automatic formatting after write/edit tools; run the workspace init tool only against the intended OpenClaw workspace; review generated reports and documentation edits before committing; keep the interactive diagram server on 127.0.0.1 and avoid putting sensitive architecture or private data into live sessions; add MCP credentials only via environment variables you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (43)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description says to use this skill when 'absorbing ideas, capabilities, workflows, architecture, quality systems, ecosystem extensions, or engineering practices from any reference system into the current project,' which is extremely broad and lacks concrete trigger phrases or exclusion examples beyond a few general cases. This creates ambiguity about when the skill should activate versus when ordinary design, migration, benchmarking, or research tasks should use a different skill.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The expected output section specifies fixed report headings such as 'Absorption candidates,' 'Recommended target design,' and 'Verification Checklist' in English, with no indication that the user may choose another language. Because the rest of the file is not consistently English, these prescribed English output labels can be read as forcing a specific language without user opt-in.

Credential Access

High
Category
Privilege Escalation
Content
- Record status codes, error codes, idempotence, retry semantics and time zone/amount/enumeration rules for front-end and back-end collaboration items.

5. Handle authentication refresh
   - Access token has a short life cycle, and refresh is prioritized in httpOnly cookies or server sessions.
   - Only a single refresh of the queue is allowed after 401 to avoid multiple requests being refreshed at the same time.
   - If the refresh fails, you need to clear the local identity status and jump to login.
   - Do not put bearer token in URL, localStorage or logs.
Confidence
70% confidence
Finding
Access token

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description contains a very broad set of activation cues such as generic 'backend requirements' and 'API requirements clarification', which can cause the agent to invoke this skill in many unrelated situations. Over-broad triggering is dangerous because it can misroute user requests, suppress use of more appropriate skills, and lead to incorrect requirement artifacts being generated or written to the repository without clear user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill’s activation description is broad enough to match many generic review requests, which can cause the agent to invoke this skill outside a narrowly intended scope. Over-broad routing is risky because it can bypass more appropriate specialized skills or trigger review behaviors the user did not explicitly request, increasing the chance of unintended actions or misleading output.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to save a report file into the repository, but does not require explicit user consent before writing. Any autonomous file write is security-relevant because it changes the user’s workspace, may overwrite or add tracked content, and can be abused through prompt-driven invocation to create unwanted files or artifacts.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description uses very broad trigger phrases such as 'unit testing' and 'component testing', which can cause the skill to activate for many generic requests rather than only when this specific workflow is appropriate. In an agent system, over-broad activation can misroute user requests, suppress better-matched skills, or cause the agent to follow the wrong testing procedure, reducing reliability and potentially affecting security-sensitive review flows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description uses broad activation phrases such as 'data fetch', 'cache', and 'optimistic updates', which can cause the skill to trigger in many loosely related contexts. Over-broad invocation is dangerous because it can route users into guidance that is not the best fit for their task, increasing the chance of inappropriate recommendations or accidental application outside intended scope.

Natural-Language Policy Violations

Low
Confidence
84% confidence
Finding
The description includes Chinese-language triggers without any user opt-in, locale setting, or justification for multilingual activation. This is risky because it broadens activation unexpectedly across languages and may cause the skill to engage for users who did not intend to invoke it, especially when combined with already broad trigger wording.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description contains very broad triggers like debugging, troubleshooting, errors, exceptions, white screens, and request failures, which are common across many ordinary developer tasks. This can cause the skill to activate in situations beyond its intended scope, potentially steering the agent into diagnostic workflows, command suggestions, or repository modifications when the user did not explicitly request them.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs saving a diagnostic report as a repository file under reports/debug-YYYY-MM-DD-HHmmss.md, but it does not disclose this write behavior or require explicit user approval. Hidden or under-disclosed file writes are risky because they can modify the working tree, create noisy artifacts, or persist sensitive debugging details without the user's informed consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation description is broad enough to match routine documentation requests such as README updates, docs sync, and API document synchronization, which can cause the skill to activate outside a narrowly scoped frontend-doc-sync task. Over-broad triggering increases the chance of unintended repository-wide scanning and edits, including files the user did not mean to include, making it a real scope-control weakness even if not overtly malicious.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
These lines require multilingual synchronization whenever multilingual documents exist, without user opt-in or locale selection. That expands the task from a targeted documentation update into potentially many cross-language file modifications, increasing the risk of unintended edits, mistranslations, and disclosure or propagation of incorrect technical facts across public documentation.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
This constraint mandates checking all language entries and synchronizing key public facts across them, again without user authorization for expanded language scope. In context, that makes the skill more dangerous because it is designed to operate across repository documentation and may push wide, low-confidence edits into translations or localized docs that the user did not request.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill trigger description is extremely broad and contains many loosely bounded natural-language phrases such as 'architecture diagrams', 'flowcharts', 'shape retrieval', and 'code structure diagrams'. This can cause the agent to invoke the skill for requests outside its safest intended scope, increasing the chance of unnecessary file scanning, external tool usage, or handling user content in a workflow that may expose sensitive project structure or route data to optional external services.

Missing User Warnings

Low
Confidence
87% confidence
Finding
This markdown file explains that the first run automatically generates baseline artifacts and later updates them, but it does not include an explicit user warning that these operations create or overwrite files. Because markdown files should warn about behaviors that affect user data or system state, the omission is a minor disclosure gap.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description contains broad activation terms such as 'form', 'form validation', and 'dynamic fields', which can cause the skill to trigger in contexts far beyond the intended narrow use case. Over-broad routing increases the chance this skill overrides more appropriate guidance, leading to unnecessary dependency introduction or misapplied implementation patterns across unrelated tasks.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
The description explicitly includes Chinese trigger terms without user opt-in, which can cause the skill to activate solely based on language-specific keywords rather than actual task relevance. This weakens routing precision and may lead to unsolicited behavior for multilingual users, especially when a generic word maps to many benign contexts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The server exposes /sessions, /state, /export, /clear, and /events for any caller who can reach the local port, with no authentication or per-session secret. Because session IDs are guessable and enumerable, one local process or web page that can access localhost could inspect, export, or clear other users' diagram data, which exceeds the stated single-purpose image/diagram workflow.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The server persists full session command history under a shared OS temp directory, which can leave diagram contents available beyond the active session lifetime. On multi-user systems or environments where temp files are readable by other local users/processes, this can expose potentially sensitive diagram text, topology, or metadata and creates unnecessary retention for a transient rendering service.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation description is broad enough to match many ordinary frontend implementation requests, which can cause the skill to trigger outside narrowly intended design-to-code scenarios. Over-broad routing increases the chance an agent applies design-tool-specific behaviors, file modifications, or planning steps in unrelated tasks, creating unsafe or surprising execution paths.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The description specifies that 'Chinese triggers include PWA, offline, Service Worker,' which introduces a language-specific activation policy. The file does not indicate that trigger language is optional or that users may choose other languages, so it creates an implicit locale/language constraint without opt-in.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill activation description is very broad, covering most React + TypeScript architecture and review tasks, which can cause the agent to invoke this skill in many ordinary situations without strong boundaries. Over-broad triggering is dangerous because it increases unintended skill activation, crowds out more specialized skills, and can steer responses toward generic architectural prescriptions rather than task-appropriate or security-focused guidance.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description includes very broad trigger phrases such as 'clean up unused', 'dead code', and 'delete useless code', which are common in ordinary engineering discussion and can cause the skill to activate in contexts beyond its narrow intended use. Unintended activation is risky here because the skill authorizes code deletion and cleanup actions, so a mistaken match could lead to inappropriate or overconfident refactoring guidance in unrelated tasks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description uses very broad activation criteria covering many common frontend design and implementation tasks, which can cause the skill to be invoked in situations where it is not specifically needed. Over-broad routing increases the chance of inappropriate context injection, conflicting guidance, or unintended influence over unrelated work, especially in agentic systems that auto-select skills from descriptions.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.obfuscated_code

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/index.js:187
Evidence
`);e=e.replace($be,"").trimEnd();let r=Object.create(null),n=d0(0,e,Vbe,"").replace($be,"").trimEnd(),a;for(;a=Vbe.exec(e);){let s=d0(0,a[2],pFt,"");if(typeof r...

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
skills/fec-drawio-studio/scripts/drawio-export.mjs:133
Evidence
const result = spawnSync(plan.command[0], plan.command.slice(1), { stdio: "inherit" });

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
skills/fec-image-generation/scripts/export-diagram.mjs:147
Evidence
const result = spawnSync(browser, [

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
dist/index.js:152
Evidence
`){let Ii="Implicit keys of flow sequence pairs need to be on a single line";Ne.errors.push(new t.YAMLSemanticError(ur,Ii));break}}}else Xe=null;Mt=null,$e=!1,U...