Back to skill
Skillv1.0.0
ClawScan security
claude design · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 6:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only design skill that asks for no credentials, installs nothing, and its runtime instructions are coherent with the stated purpose of producing HTML-based design artifacts.
- Guidance
- This skill is internally consistent and appears to do what it claims: guide creation of HTML/React design artifacts. Before using it, review any generated HTML/JS you receive (especially if you plan to host it). The skill's examples reference remote CDNs (unpkg) — consider hosting third-party libraries locally or verifying integrity hashes if you open/serve the output in sensitive environments. Also verify any fonts/assets/licenses the generated design recommends, and avoid pasting secrets into prompts or uploads used by the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description (HTML/design artifacts, prototypes, decks, animations, UI components) aligns with the SKILL.md content, which provides detailed workflows, component and format guidance, and implementation notes for producing HTML/React-based outputs.
- Instruction Scope
- noteThe SKILL.md stays focused on design tasks (discovery, planning, design, validation) and specific implementation guidance (React/JSX, deck components, animations). It does instruct the agent to avoid revealing internal prompts/skill mechanics (a normal opsec-style rule). One operational detail to note: generated HTML examples reference remote CDNs (unpkg links) and include integrity attributes; opening produced HTML will cause network fetches for those libraries — this is expected for web artifacts but is operational behavior the user should be aware of.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is written to disk or downloaded by the skill itself. Low install risk.
- Credentials
- okNo required environment variables, credentials, or config paths are declared or referenced. The SKILL.md does not ask for secrets or unrelated credentials.
- Persistence & Privilege
- okThe skill is not always-enabled and uses default autonomous invocation settings. It does not request persistent system presence, nor does it instruct modifying other skills or agent-wide configuration.