Postcss Config Validator
Security checks across malware telemetry and agentic risk
Overview
This skill appears limited to running a local Python validator against PostCSS configuration files, with no credentials or network behavior, though its public source provenance is not linked.
This appears safe for its stated purpose: validating local PostCSS configuration files. Before installing, note that it runs a local Python script and the registry does not provide a source repository or homepage, so use it on intended project files and review the included code if your project is sensitive.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on the wrong path, it may read a local file outside the intended PostCSS config scope, though the artifacts do not show file modification or external transmission.
The validator reads the local file path it is asked to validate. This is expected for a config validator, but users should point it only at intended project configuration files.
text = p.read_text(encoding="utf-8").strip()
Run the commands only against PostCSS config files or package.json files you intentionally choose.
Users have less external context for verifying the publisher or independently auditing the package history.
The package does not link to a public source repository or homepage, which limits provenance verification. The artifacts also show no external dependency install path.
Source: unknown; Homepage: none
Review the included files and publisher identity before relying on the skill in sensitive projects.
Installing or invoking the skill runs local Python code, but the documented commands are limited to validation-style operations.
The skill is intended to execute a local Python validation script. This is purpose-aligned and disclosed in the command examples.
python3 scripts/postcss_config_validator.py validate .postcssrc
Invoke it deliberately and review the script if your environment has sensitive project files.