Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Artifacts Builder Pro
v1.0.0Suite of tools for creating elaborate, multi-component claude.ai HTML artifacts using modern frontend web technologies (React, Tailwind CSS, shadcn/ui). Use...
⭐ 0· 213·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the scripts and SKILL.md: this is a project initializer + bundler for React/Tailwind/shadcn. However the init script expects a local tarball (scripts/shadcn-components.tar.gz) with 40+ components to be present; that tarball is not listed in the file manifest. The SKILL.md also claims '40+ shadcn/ui components pre-installed' which is only true if that tarball exists. This mismatch is unexplained and will cause the init script to fail or require the user to supply a missing archive.
Instruction Scope
SKILL.md instructs the agent/user to run the provided scripts to scaffold and bundle projects. The instructions do not ask for unrelated system files or credentials and limit actions to project setup, editing, bundling, and optional testing. They do, however, instruct using other tools/skills (Playwright/Puppeteer) for testing — that is optional but gives the agent latitude to invoke other tooling. The scripts will run network installs and modify project files (tsconfig, vite.config, .parcelrc).
Install Mechanism
There is no install spec (instruction-only), so nothing is written by a package installer at skill install time. At runtime the scripts perform many network package operations (npm -g pnpm, pnpm create vite, pnpm install and multiple pnpm installs/add). These are standard for scaffolding a JS project but do result in arbitrary third-party packages being downloaded and executed in the environment. No direct downloads from unknown servers are used in the scripts (aside from package registries), but the missing components tarball would be a local archive expected at runtime.
Credentials
The skill declares no required environment variables, credentials, or config paths. The scripts do not attempt to read secrets or external credentials. Their network actions are limited to package installations from standard registries and extracting a local tarball. No disproportionate credential access is requested.
Persistence & Privilege
The skill is not force-enabled (always: false) and does not request persistent system-wide configuration changes beyond creating/modifying files inside the project it scaffolds. It does install packages into the project and may install pnpm globally; that is normal for a scaffold tool but changes the environment. Autonomous invocation is allowed (platform default) but is not combined with other high privileges here.
What to consider before installing
What to check before running or installing: 1) The init script expects scripts/shadcn-components.tar.gz (40+ components). That tarball is not present in the skill manifest — ask the author or supply a trusted tarball; otherwise the init script will fail. 2) The scripts install many npm/pnpm packages (including a global pnpm install). Only run them in an isolated environment (a disposable VM, container, or dedicated dev machine) and avoid running as root. 3) Verify the contents of any tarball you provide or that the author supplies; a tarball could contain arbitrary code. 4) Review package.json and lockfiles created during scaffold to inspect third-party dependencies before executing build steps. 5) This skill does not request secrets, but it will download and execute third-party packages at runtime — if you need higher assurance, request the missing tarball source or a reproducible list of package versions (lockfile).Like a lobster shell, security has layers — review code before you run it.
latestvk971ha5hhh52qtn7ezn7nf3v3h82x5sc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.