Back to skill
Skillv1.0.2
ClawScan security
Frontend Design · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 7:01 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instruction-only frontend design skill that is internally consistent: it reads/writes workspace files for brand/context and produces HTML/CSS/JS outputs, and it does not request unrelated credentials or install code.
- Guidance
- This skill is coherent for frontend design: it will read brand/context files in ~/workspace (SOUL.md, KNOWLEDGE.md) and write working HTML/CSS/JS files to ~/workspace/designs/[project-slug]/. Before installing/using it, make sure your workspace doesn't contain secrets or unrelated sensitive files you don't want read. If you want tighter control over design decisions, provide explicit brief details (audience, CTA, tone) because the skill's instructions say it will make strong assumptions rather than always asking follow-ups.
Review Dimensions
- Purpose & Capability
- okThe name/description (build frontends) matches the runtime instructions: producing working HTML/CSS/JS, checking brand files, and saving output to a workspace folder. Requested binaries (bash; optional node/npx/python3) are reasonable for this workflow.
- Instruction Scope
- noteSKILL.md explicitly tells the agent to read ~/workspace/SOUL.md and ~/workspace/KNOWLEDGE.md (if present) and to save files under ~/workspace/designs/[project-slug]/. That file I/O is coherent for a design skill but does grant the skill access to arbitrary workspace files and the ability to write files — users should ensure sensitive data isn't in that workspace. The skill also instructs the agent to make assumptions rather than always prompting for missing details, which can lead to undesired choices unless the user provides clear brief.
- Install Mechanism
- okNo install spec or code is included (instruction-only). No downloads or executable installs are requested, which minimizes on-disk risk.
- Credentials
- okNo environment variables, credentials, or external config paths are required. Optional binaries (node/npx/python3) are reasonable helpers and not mandatory.
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invocable. It requests permission to write outputs into the user's workspace (explicit in instructions) but does not modify other skills or request elevated system privileges.