ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Awesome Design Skills

v0.1.1

Use when user asks about design skills, UI skills, design tools, "what design skills are available", "help me design", "recommend a design skill", "UI/UX ski...

0· 74·0 current·0 all-time
byFuturize Rush@futurizerush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (a directory of design skills) match the SKILL.md content: it lists many design-related skills and recommends installs. However the manifest declares no required binaries/configs while the instructions repeatedly show git clone and package install commands — an inconsistency (see instruction_scope and install_mechanism).
!
Instruction Scope
SKILL.md contains concrete install commands (git clone into ~/.claude/skills, pip/npm install for some items) and allows the Bash tool. The skill metadata, however, lists no required config paths or binaries; the instructions therefore tell the agent to modify a user skill directory and run network installs without declaring those capabilities. The doc also encourages installing many unrelated third‑party repos (broad scope) and does not require or recommend verifying code before installation.
!
Install Mechanism
There is no formal install spec — the instructions recommend cloning arbitrary GitHub repos and running pip/npm commands. Cloning and installing code from many third‑party repositories is higher risk than an instruction-only skill that stays local. No provenance or vetting guidance is provided for those repos.
Credentials
The skill declares no environment variables or primary credential (appropriate for a directory). That said, the instructions implicitly require network access and command-line tools (git, npm, pip), which are not declared. There is no request for secrets, which is good, but the implicit need for CLI tooling should be declared.
!
Persistence & Privilege
The instructions target ~/.claude/skills for installations (writing to the agent's skill directory) but the skill metadata does not declare config path requirements. While always:false and model invocation defaults are OK, writing many third‑party skill repos into the user's skill directory increases the blast radius and should be explicit and audited.
What to consider before installing
This skill is a curated list pointing you to many third‑party GitHub repos and some package installs. The main issues: (1) SKILL.md explicitly instructs cloning repositories into ~/.claude/skills and running pip/npm installs, but the skill metadata doesn't declare required binaries or config paths — a mismatch you should treat as suspicious; (2) cloning and installing many external repos can execute unvetted code and introduce supply‑chain risk. Before installing anything: verify the repository owners and read their README and source code; only clone trusted repositories; run installs in a sandbox or VM; ensure you have git/npm/pip and understand what packages will be installed; prefer vendor‑provided packages or official marketplace entries if available. If the publisher can update the skill to declare required binaries (git, npm, pip), list vetted source URLs, and recommend pre‑install verification steps, that would reduce the risk and could change this assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bvsrg7g3v88qsg3qps5r04s84nr6c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments