Wireframe

PassAudited by VirusTotal on May 11, 2026.

Overview

Type: OpenClaw Skill Name: wireframe Version: 3.4.1 The wireframe skill bundle is a legitimate utility for generating ASCII, SVG, and HTML UI mockups. The core logic in `scripts/script.sh` consists of standard shell scripting for string manipulation and file writing, with no evidence of network calls, data exfiltration, or malicious command execution.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

The skill can create or overwrite local files wherever the selected output path points.

Why it was flagged

The included script writes generated content to a caller-supplied output path and creates parent directories.

Skill content

write_file() {
  local path="$1"
  ...
  mkdir -p "$dir"
  cat > "$path"

Recommendation

Use explicit output paths in a project folder and avoid pointing the skill at important existing files.

Note

ASI05: Unexpected Code Execution

What this means

If wireframe labels are copied from untrusted content, generated SVG or HTML files could contain unwanted markup when opened or shared.

Why it was flagged

User-controlled labels are interpolated directly into SVG text without escaping, so untrusted labels could become active markup in generated SVG/HTML outputs.

Skill content

echo "  <text x=\"${tx}\" y=\"${ty}\" text-anchor=\"middle\" class=\"label\">${label}</text>"

Recommendation

Use trusted labels, inspect generated SVG/HTML before opening or publishing, and prefer escaping or sanitizing labels if adapting the script.