Skillv1.1.0

ClawScan security

Ui Design Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 12:17 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally coherent for generating UI design specs from the bundled datasets and producing starter files; it requests no credentials or installs, but inspect the referenced script (scripts/search.ps1) and any generated output before running in production.
Guidance: This skill looks coherent and low-risk: it uses local CSV/JSON datasets to pick styles and generate starter HTML/CSS files and does not request credentials or perform installs. Before enabling it broadly, do these simple checks: 1) Confirm scripts/search.ps1 is present and review its contents (it is referenced but not included in the manifest); any PowerShell script run with ExecutionPolicy Bypass should be inspected in a safe environment. 2) Run the skill in a sandbox or test workspace so generated files cannot overwrite important data. 3) Review generated HTML/CSS for unintended external network calls or third-party telemetry (the typography data contains Google Fonts links which will load resources from fonts.googleapis.com). 4) If you need the skill to run autonomously, restrict its working directory and filesystem permissions to limit accidental access to other files. If you want additional assurance, provide the missing script (if intended) and I can re-evaluate its contents.

Review Dimensions

Purpose & Capability: okName/description match the included assets: local CSV/JSON datasets (styles, colors, typography, patterns, rules) and the skill's declared capabilities. No unrelated environment variables, binaries, or cloud credentials are requested, which is proportionate for a design-system generator.
Instruction Scope: noteSKILL.md instructs the agent to read local data files, pick styles/palettes/typography, generate compact specs and runnable files (index.html + styles.css), and verify files on disk — all consistent with the stated purpose. One inconsistency: SKILL.md and package.json reference scripts/search.ps1, but that script file is not present in the provided file manifest. If the script were present it should be inspected before execution (it would run PowerShell with ExecutionPolicy Bypass). The instructions may cause the agent to write files to disk and reference external Google Fonts URLs from the typography data (expected).
Install Mechanism: okNo install spec included (instruction-only skill). That represents a low-risk footprint — nothing is downloaded or written by an installer as part of installation.
Credentials: okThe skill does not request environment variables, credentials, or config paths. The datasets include external Google Fonts URLs which are expected for typography use; no secret/credential access is requested or required.
Persistence & Privilege: okalways is false and there are no special persistence or elevated privileges requested. The skill will ask the agent to create and verify generated files locally, which is normal for an implementation-focused design generator.