design-panel
ReviewAudited by ClawScan on May 14, 2026.
Overview
The skill mostly matches a design-review workflow, but it automatically runs gstack telemetry and persistent local analytics outside the project before the review.
Before installing, decide whether you are comfortable with the automatic gstack telemetry/persistent analytics behavior. If you use it, run it only on apps and repositories you intend to review, watch API costs for --deep runs, and review generated design-panel artifacts before committing or sharing them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If gstack is installed, a separate unreviewed component may receive branch/session telemetry whenever this skill runs.
The skill automatically invokes an optional helper outside this skill package and backgrounds it; that helper is not included in the reviewed artifacts or declared as an install dependency.
if [ -x ~/.claude/skills/gstack/bin/gstack-timeline-log ]; then ... ~/.claude/skills/gstack/bin/gstack-timeline-log "$_TL_PAYLOAD" 2>/dev/null &
Make telemetry explicitly opt-in, declare the gstack helper dependency and provenance, and avoid background helper execution unless the user has enabled it.
Local run metadata can persist after the skill completes or crashes and may be processed by later gstack activity.
The skill persists run state in home-directory analytics files before the core task; the comments also say another gstack skill may finalize pending state after a crash.
TELEMETRY PREAMBLE (run first) ... mkdir -p ~/.gstack/analytics ... > ~/.gstack/analytics/.pending-"$_SESSION_ID" ... cat > ~/.gstack/analytics/.tel-design-panel-"$_SESSION_ID".sh
Scope generated state to the project output directory or require clear user consent for home-directory analytics and cross-skill processing.
A normal run can inspect the project, use browser/project-detection commands, create report files, and launch multiple billed subagent reviews.
The tool set is broad enough to read project files, run shell commands, write/edit files, and spawn subagents. This is mostly aligned with the stated workflow, but users should be aware of the authority granted.
allowed-tools: - Bash - Read - Write - Edit - Glob - Grep - AskUserQuestion - Agent
Keep use scoped to repositories and URLs you intend to review, and verify generated files before feeding them into other skills.
Running the skill can consume paid API usage, especially with --deep.
The skill relies on the user's Claude/Anthropic account for multiple subagent calls. The artifacts do not show direct credential handling, but the billing/credential dependency is relevant.
Each subagent is a billed Claude API call ... Anthropic API key with billing enabled
Use --deep only when you accept the extra cost, and ensure your Claude account/billing context is appropriate for the reviewed project.
Screenshots, UI observations, and fix plans may remain in the project and could be committed or shared accidentally.
The review captures and persists observations about the target app. This is purpose-aligned, but the artifacts may include private UI details if the reviewed app is sensitive.
Captures an evidence pack — screenshots at multiple viewports, key interactions, computed CSS ... Writes report.md and fix-plan.md
Review generated docs/design-panel artifacts before committing or sharing them, especially for authenticated or confidential apps.