Skillv1.0.0

ClawScan security

Senior Frontend · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 7, 2026, 3:38 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only frontend design/dev skill whose requirements, instructions, and footprint are consistent with its stated purpose and do not request unrelated credentials or installs.
Guidance: This skill is internally consistent for producing Next.js + Tailwind + shadcn/ui UIs and does not request credentials or install code. Before using outputs in production: 1) review generated package.json and pin package versions (avoid blindly running scripts/npm install from unreviewed manifests); 2) inspect any remote asset URLs (fonts, images) the generated code references before deploying; 3) test generated code in a sandbox environment before running on your machine or CI; 4) if you prefer to avoid automatic activations, use the explicit /senior-frontend command or adjust agent trigger settings so it doesn't auto-run on casual prompts. Overall this appears coherent and focused on frontend design/development.

Review Dimensions

Purpose & Capability: okName/description promise production-ready Next.js + Tailwind + shadcn/ui output and the skill's files (SKILL.md + design/reference docs) contain design rules and example Next.js/Tailwind components — all coherent with the stated purpose. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope: noteThe SKILL.md defines a detailed design-to-code process and many copy-paste examples. It instructs the agent to trigger on many frontend-related prompts (and via /senior-frontend). The instructions do not ask the agent to read system files, access credentials, or call external endpoints. Note: the broad auto-trigger phrases increase how often the skill may activate, but the actions it prescribes remain within frontend design/dev scope.
Install Mechanism: okNo install spec and no code files that perform downloads or execs. Instruction-only skills that output code examples have low install risk because nothing is written or executed by the skill itself.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The content references standard frontend libraries and fonts (next/font/google or local) but does not require secrets or unrelated service tokens.
Persistence & Privilege: okalways is false and disable-model-invocation is false (normal). The skill can be invoked autonomously by the agent when matching its trigger phrases; this is expected for a user-invocable frontend skill and is not combined with any broad credential or install requests.