ClawHub

Frontend Design Polish

Security checks across malware telemetry and agentic risk

Overview

This is a capable frontend design skill, but its live mode grants broad local browser, file, and workspace mutation access that users should review before installing.

Install only if you want an active frontend design tool that can run local Node scripts, start a localhost server, inject scripts into your app, inspect selected page DOM, and modify project files. Avoid using live mode on sensitive authenticated pages unless you trust the whole page context, browser extensions, and local machine. Review generated config, injected script tags, PRODUCT.md/DESIGN.md changes, and cleanup markers after each live session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
The skill manifest declares no permissions, yet the referenced behavior indicates network-capable components. That creates a transparency and policy-enforcement gap: operators may approve or route the skill assuming it is passive documentation when it can actually communicate with local services and exchange data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
This is a substantial description-behavior mismatch. A frontend design skill is presented as a benign UI helper, but the detected behavior includes localhost service access, tokenized requests, uploading screenshots, fetching raw source, injecting variants into the live DOM, loading additional scripts, and posting control events to a backend. That combination expands the trust boundary and could expose source code, screenshots, session state, or local services without informed user consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to execute a local Node.js script (`node .kiro/skills/impeccable/scripts/load-context.mjs`) as part of normal completion flow, even though the skill's declared purpose is frontend design documentation. This expands capability from documentation generation into local code execution, creating risk if the script is modified, replaced, or has side effects on the host environment.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The seed-mode flow also mandates running a local Node.js script unrelated to producing a seed design spec. Recommending host-side script execution in a documentation skill creates an unnecessary execution path that an attacker could abuse through tampering or by conditioning users to accept opaque local commands.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to append a summary to `.kiro/settings.json`, which expands write scope beyond the stated design-context artifacts (`PRODUCT.md` and `DESIGN.md`) into agent/runtime configuration. Modifying configuration files can create persistence, alter later agent behavior, and surprise users because the change is not essential to the core UI-documentation task.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This library walks the DOM/CSS and automatically fetches external images, CSS imports, fonts, and SVG references via `fetch()` to inline them into screenshots. In a UI skill, that means rendering a local page can trigger arbitrary outbound requests to third-party URLs embedded in page content, which can leak IP address, timing, internal URL reachability, and potentially touch intranet resources if the page references them.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The skill's invocation scope is extremely broad and overlaps with many normal UI-related requests, increasing the chance it will be selected in contexts the user did not intend. In this skill's context, that is more dangerous because the broader package appears to include active live/browser behaviors and networked integrations beyond simple design advice.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs the agent to create and regenerate `DESIGN.md` and `DESIGN.json`, but the top-level flow does not consistently require a clear user-facing notice that files will be written. Silent or assumed file creation can cause unauthorized workspace modifications, especially when regeneration may overwrite or substantially alter existing project documentation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions include running a local Node command as part of normal completion without an explicit user-facing warning or confirmation. Executing host commands without informed consent is dangerous because users may not realize the agent is leaving the documentation domain and invoking local tooling with unknown side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Seed mode repeats the pattern of instructing automatic local script execution without a user-facing warning. This compounds the risk by normalizing command execution even in a lightweight onboarding flow where no such capability is needed to produce the requested design scaffold.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The example explicitly subsets a custom font to `U+0020-007F` (Basic Latin only) without any locale scoping, user opt-in, or warning that this excludes many scripts and accented characters. In a frontend optimization skill, users may copy this as recommended practice, causing missing glyphs, broken rendering, and degraded accessibility/i18n for non-English users.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The document directs the agent to write `PRODUCT.md` and `DESIGN.md` at the project root as part of the flow, but does not prominently warn at the outset that project files will be created or modified. In an agent setting, silent or insufficiently disclosed file writes can lead to unintended repository changes and reduce informed user consent, even if the files themselves are benign documentation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Multiple command descriptions rely on broad natural-language cues such as general user phrasing rather than tightly scoped, unambiguous invocation criteria. In an agent-routing context, this can cause accidental or overly eager invocation of high-impact UI-modifying skills, leading to unintended code changes, context drift, or execution of workflows the user did not clearly request.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The overdrive command uses highly permissive trigger phrases like wanting to 'wow' or 'go all-out,' which are subjective and easy to match in unrelated conversations. Because this command implies technically ambitious implementations, loose routing criteria increase the chance of unnecessary complexity, risky changes, or resource-intensive behavior being triggered without sufficiently explicit user consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends page URL, extracted DOM context, text content, outerHTML, computed styles, and annotation data to a localhost service without a clear just-in-time disclosure at the moment of transmission. Even though the destination is localhost, this can expose sensitive page content from internal tools, authenticated sessions, or user-entered data to another local process unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script uploads screenshots of selected page elements to the localhost service when annotations are present, but the user is not clearly warned at the upload point. Screenshots can capture sensitive UI state, tokens, personal data, or proprietary content that may not be obvious from the element picker alone.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script automatically invokes another local Node script via execFileSync when it receives 'accept' or 'discard' events from the live server, with no interactive confirmation or allowlist validation in this file. Because the trigger is remote event data and arguments such as event.id, event.variantId, and event.paramValues flow into the subprocess call, a compromised or spoofed local live server could cause unintended state-changing actions to happen autonomously.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The /source endpoint allows any holder of the live-session token to read arbitrary files under the project root and returns their contents over HTTP. Although access is token-gated and path traversal is partially checked, the token is injected into browser JavaScript and any connected page script, third-party dependency, extension, or XSS running in that page context could exfiltrate it and use this endpoint to harvest local project files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically renames `.impeccable.md` to `PRODUCT.md` during what appears to be a context-loading/read operation, causing an unexpected filesystem mutation without user confirmation. While this is not a code-execution issue, it violates least surprise and can overwrite user intent, break tooling that depends on the legacy filename, or create integrity/auditability problems in repos and automated environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The library enumerates stylesheets, processes `@import` rules, and fetches remote CSS/font assets for inlining, which can reveal browsing context and trigger privacy-impacting requests to third parties. This is more concerning in this skill because the stated purpose is UI improvement, not asset exfiltration or networked collection of page dependencies.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The library enumerates stylesheets, processes `@import` rules, and fetches remote CSS/font assets for inlining, which can reveal browsing context and trigger privacy-impacting requests to third parties. This is more concerning in this skill because the stated purpose is UI improvement, not asset exfiltration or networked collection of page dependencies.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal