ClawHub

Produce thoughtful, well-crafted design artifacts (slide decks, interactive prototypes, hi-fi mockups, animated videos, landing pages, dashboards, marketing one-pagers) using HTML/CSS/JS/SVG as the medium. Use this skill whenever the user asks to "design", "mock up", "prototype", "make a deck", "make slides", "make a landing page", "create a dashboard", "visualize X", "build a UI", "build an interactive demo", or any request whose deliverable is a visual artifact rather than production code. Also trigger for requests like "recreate this UI", "explore options for X", "give me variations of Y", or when the user attaches screenshots/Figma/PRDs and wants a visual response. HTML is the tool; the medium varies — embody the right expert (slide designer, UX designer, animator, prototyper) for the task

Security checks across malware telemetry and agentic risk

Overview

This is a design/prototyping skill with some normal project-file and browser-library risks, but no hidden install, credential theft, destructive action, or exfiltration behavior was found.

Install this where you are comfortable letting the agent read design-related project files and write prototype or deck assets. Review generated HTML before sharing, especially if it loads public CDNs or uses host-provided LLM helpers, and consider correcting the marketplace capability tags because the artifacts do not support claims like crypto, purchases, or sensitive credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The reference recommends loading third-party libraries from public CDNs, including an explicitly unpinned `@latest` URL and examples without integrity protection. In a skill that generates HTML/JS artifacts, this can propagate supply-chain risk into produced artifacts: a compromised CDN, malicious upstream release, or breaking update could execute arbitrary code in the viewer's browser.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger description is extremely broad and can activate on many generic requests such as 'design', 'visualize X', or 'build a UI', increasing the chance the skill is invoked in contexts where it should not be. Over-broad activation can cause unnecessary file inspection, unintended context gathering, or execution of this skill instead of a more appropriate, narrower one, expanding the attack surface for prompt-injection or data overreach.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal