Superdesign
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This design skill is review-worthy because it can automatically install and use a mutable CLI, follow changing remote instructions, and copy broad UI source context into persistent files and SuperDesign CLI commands.
Install only if you are comfortable with SuperDesign scanning and storing UI source context and passing selected files to its CLI. Before use, pin or review the CLI and remote instructions, approve the exact context files, exclude secrets/proprietary code where needed, and confirm which SuperDesign account will receive the project data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may follow live GitHub instructions the user has not reviewed, potentially changing what files it reads, writes, or sends to tools.
The reviewed skill tells the agent to retrieve mutable remote instructions at runtime and treat them as authoritative, so behavior can change after review.
MUST MANDATORY Fetch fresh guidelines below: https://raw.githubusercontent.com/superdesigndev/superdesign-skill/main/skills/superdesign/SUPERDESIGN.md ... Action accordingly based on instruction in the SUPERDESIGN.md
Use the bundled reviewed instructions or pin remote instructions to an immutable commit, and require user approval before applying newly fetched guidance.
Installing a global @latest CLI can change the user's Node environment and may run unreviewed package installation code.
The skill can install a mutable latest-version global npm package outside a pinned install spec; package contents and install-time behavior are not part of the reviewed artifact.
If the command fails (not found), install the CLI:
npm install -g @superdesign/cli@latestPin a reviewed CLI version, declare the install mechanism in metadata/install specs, prefer a local sandboxed install, and ask the user before installing.
Private or proprietary UI source code may be duplicated into persistent agent context and reused in later design tasks.
The init process creates persistent repo-local context files containing copied source code, but the artifacts do not define exclusions, retention, review, or cleanup controls.
Write all files to `.superdesign/init/` ... Include FULL source code for each component ... Be generous with the content — more context is always better than less.
Review generated .superdesign files, exclude secrets and nonessential code, add clear retention/cleanup guidance, and require user confirmation before broad indexing.
Source files and design-system details could be shared with the SuperDesign service or account context without the user explicitly approving each file.
The skill requires many local source files to be passed into the SuperDesign CLI/provider workflow, but the artifacts do not explain data boundaries, upload behavior, retention, or filtering.
Every file in that tree MUST be passed as `--context-file`. Then also add globals.css, tailwind.config, and design-system.md.
Show the user the exact files before passing them as context, document whether they are uploaded or stored, and provide exclusions for sensitive or proprietary files.
Design projects, drafts, and uploaded context may be associated with the logged-in SuperDesign account.
The skill uses a SuperDesign account session. That is expected for the integration, but users should notice that account authentication is required despite no credential being declared in the metadata.
Check login status ... If you see an auth/login error, run: superdesign login ... Never assume the user is already logged in. Always verify login first.
Log in only with the intended account, confirm account/workspace scope, and log out or revoke access when no longer needed.