ClawHub

ui-ux-pro-max for openclaw

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed offline UI/UX helper that runs local Python to read bundled design data, with no evidence of hidden network access, credential use, or destructive behavior.

Install only if you are comfortable granting this skill python3 execution. Use it in a restricted workspace/profile when possible, review the bundled scripts before enabling it globally, and avoid --persist or --output-dir unless you intend it to create or overwrite design-system files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to grant `python3` execution rights to a skill whose stated purpose is UI/UX guidance, which is a capability expansion beyond what the functional description alone would normally require. In agent environments, normalizing subprocess execution for a documentation-only or design-assistance skill increases attack surface and can enable arbitrary local code execution if the skill or a later update is malicious, compromised, or prompt-injected.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The documentation markets the skill as 'zero-dependency' and '100% offline' while also emphasizing that it bypasses ACP configuration by relying on `exec` permissions. That framing is risky because it can socially engineer operators into treating the package as harmless while accepting elevated execution privileges, reducing scrutiny and making privilege escalation easier in practice.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill includes functionality to persist generated content into project files on disk, which exceeds a purely read/generate UI/UX advisory role and changes the security boundary from analysis to modification. In an agent setting, this can silently alter repository contents, create files in unintended locations via caller-controlled output_dir, and make downstream tools trust AI-generated artifacts as authoritative design instructions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The CLI exposes filesystem persistence via --persist and accepts user-controlled output_dir and page/project values, enabling this 'search' skill to write generated content to disk. In an agent setting, unexpected write capability expands the blast radius: an untrusted prompt or workflow could cause persistent files to be created in unintended locations, especially if the downstream persist function does not strictly constrain paths.

Vague Triggers

High
Confidence
90% confidence
Finding
The skill activates on essentially any request involving UI, frontend code, or layout, which is an overly broad trigger surface. In context, this makes the skill more dangerous because it can force execution of a local script across many normal development tasks, increasing the chance of unnecessary tool use, unintended data flow into the script, and repeated side effects.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill uses prescriptive language such as 'MUST IMMEDIATELY STOP AND EXECUTE THIS LOCAL SCRIPT FIRST' and 'Never skip Step 1,' which attempts to override normal user choice and agent safety discretion. This is dangerous because mandatory execution policies can coerce tool usage even when unnecessary or unsafe, especially when combined with local script execution and possible file-writing behavior.

Natural-Language Policy Violations

Low
Confidence
92% confidence
Finding
The CSV content explicitly recommends locale/timezone behavior ('Auto-fill timezone') without indicating user consent or opt-in. In a UI/UX guidance skill, this could normalize implementing inferred locale behavior by default, which can create privacy concerns or incorrect assumptions about the user context even if the risk is limited.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The dataset explicitly recommends dark mode or implies it as a default for multiple categories, such as fintech, banking, streaming, and developer tools, without indicating user preference detection, accessibility overrides, or opt-in behavior. In a mandatory UI/UX skill that is meant to drive frontend generation, this guidance can systematically produce inaccessible interfaces for users with low vision, light sensitivity, or contrast-related needs, making the issue operational rather than merely stylistic.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
When persist=True, the function writes generated files without any warning, prompt, or explicit disclosure in the execution path, which is risky for agentic workflows where callers may not expect filesystem mutation. Silent writes can be abused to plant misleading documentation, modify repository state, or create artifacts that influence later human or automated decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal