Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Landing Page Builder
v1.2.0Build premium static landing pages with the Stomme/PolyTrader design system. Glass morphism, CSS custom properties, separated copy, responsive, Cloudflare Pa...
⭐ 0· 80·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included artifacts: design-system reference, pre-push static checks, and a post-deploy Playwright validator are all coherent with producing and validating static landing pages for Cloudflare Pages. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md stays within the scope of building and validating static landing pages (reading provided markdown, using design-system.md, separating copy, creating git hooks, CI wiring). Two things to note: (1) the provided validate-live-template.js defaults to targeting https://stomme.ai — if you do not change this, running it will make automated browser requests against that external site; (2) the templates include clearing localStorage and interacting with theme-specific keys (e.g., 'stomme-theme') which the SKILL.md says should be customized for your site. Review/adjust these defaults before running.
Install Mechanism
There is no install spec (instruction-only) and no downloads, which is low risk. However, the bundled scripts assume runtime tools: the pre-push check and validators call Node and the Playwright API. The skill does not install Playwright or declare Node dependencies — you'll need to add those to your environment/CI before running the validation script.
Credentials
The skill requests no environment variables, no credentials, and no system config paths. The included scripts operate on files and perform network requests to a configurable site only if you run them.
Persistence & Privilege
always:false and normal model invocation. The runtime instructions ask you to create repository-level artifacts (git hooks, scripts, CI workflow) which is expected for developer tooling; the skill does not request forced always-on presence or modify other skills/system-wide settings.
Assessment
This package appears coherent with its purpose, but review and adapt the included scripts before executing them:
- Change the default site in references/validate-live-template.js from https://stomme.ai to your target URL so validations run against your deployment (otherwise the script will open headless browsers to an external domain).
- The validate script uses Playwright (chromium) and Node — install playwright and add required Node deps in your dev environment and CI before running it.
- The pre-push script will block git pushes on failing checks; read references/pre-push-check-template.sh and confirm its checks/grep patterns match your repo structure, and rename the theme/localStorage keys (it uses 'stomme-theme' by default).
- Inspect the scripts for any external network calls you don't expect (the validation script intentionally makes HTTP requests to the target site). Run them in a controlled environment first.
- Adding .githooks/pre-push and CI wiring modifies your repository — commit/push those changes only after verifying the scripts. If you are uncomfortable with automated hooks or running headless browser tests, skip or adapt those steps.
If you want, I can point out exact lines to change (e.g., the SITE constant in validate-live-template.js and the KEY in the theme scripts) or produce an adapted copy configured for your domain and preferred localStorage key.Like a lobster shell, security has layers — review code before you run it.
latestvk97ewqqdc66m2dvgm7eeybzhjd8396n6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.