Wireframe

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

The skill can create or overwrite local files wherever the selected output path points.

Why it was flagged

The included script writes generated content to a caller-supplied output path and creates parent directories.

Skill content

write_file() {
  local path="$1"
  ...
  mkdir -p "$dir"
  cat > "$path"

Recommendation

Use explicit output paths in a project folder and avoid pointing the skill at important existing files.

Note

ASI05: Unexpected Code Execution

What this means

If wireframe labels are copied from untrusted content, generated SVG or HTML files could contain unwanted markup when opened or shared.

Why it was flagged

User-controlled labels are interpolated directly into SVG text without escaping, so untrusted labels could become active markup in generated SVG/HTML outputs.

Skill content

echo "  <text x=\"${tx}\" y=\"${ty}\" text-anchor=\"middle\" class=\"label\">${label}</text>"

Recommendation

Use trusted labels, inspect generated SVG/HTML before opening or publishing, and prefer escaping or sanitizing labels if adapting the script.