ClawHub

Design Engineering

v1.2.0

Orchestrate iterative design and frontend engineering work through research, planning, sub-agent execution, and validation loops. Use when a visual/UI task r...

0· 156·2 current·2 all-time
byCorbin Breton@corbin-breton·duplicate of @corbin-breton/keats-design-engineering
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description align with the provided instructions and reference documents: orchestration of design/frontend work, sub-agent dispatch, validation checklists and rendering guidance. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
Overall the SKILL.md stays on-scope (work limited to project root, sub-agents confined to project). However, two practical inconsistencies/things to watch: (1) validation snippets use a Playwright page.goto("URL") placeholder while the top-level 'Scope & Safety' asserts Playwright will only target localhost — the snippet itself does not enforce localhost and could be pointed at arbitrary URLs if misused; (2) the JS syntax check uses node -e with new Function(require('fs').readFileSync(...)), which intentionally reads and evaluates file text to catch syntax errors — this is coherent for validation but is effectively an eval-like operation and should be constrained to trusted project files. These are operational risks rather than clear contradictions.
Install Mechanism
Instruction-only skill with no install spec and no code files executed during install. Lowest-risk installation footprint.
Credentials
The skill declares no environment variables, credentials, or config paths. The requested operations are filesystem and local-dev-focused, consistent with the stated purpose.
Persistence & Privilege
always is false, agent invocation is allowed (platform default). The skill does not request permanent presence or system-wide changes and does not instruct modifying other skills' configs.
Assessment
This skill appears to do what it says: orchestrate iterative frontend design work locally. Before installing/allowing autonomous runs, consider these points: (1) enforce the project-root boundary — ensure any sub-agent/file paths are constrained so they cannot read outside the intended directory; (2) when the skill uses Playwright, ensure callers bind the URL to localhost/dev servers only (do not allow arbitrary external URLs); (3) the JS syntax check uses an eval-style pattern (new Function(readFileSync(...))) — only run that against trusted project files; (4) because the skill spawns sub-agents and runs build/test commands, run an initial review of the sub-agent task descriptions and any code changes they propose before applying them automatically. If you plan to let the agent run autonomously, restrict its network permissions and filesystem scope (or require human approval for risky steps) to reduce potential misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c2tx5xx05chteczpyz0gpp183xv6k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments