frontend-design-super
PassAudited by ClawScan on May 16, 2026.
Overview
This skill appears to be a normal frontend-site generator, with the main caveats that its helper scripts download and run npm tooling and its packaged identity metadata is inconsistent.
This skill is reasonable to install if you want frontend project scaffolding. Before running its scripts, verify the publisher/source, use a fresh project directory, and review npm dependencies and generated files; the visible artifacts do not show credential collection or data exfiltration.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the helper scripts will execute third-party npm tooling on your machine and may produce different results as upstream packages change.
The scaffolding script intentionally downloads and executes current npm tooling and installs dependencies without pinning versions. This is expected for a frontend project initializer, but it relies on upstream npm package provenance.
npx create-next-app@latest "$PROJECT_NAME" ... npm install framer-motion ... npx shadcn@latest init -y -d
Run the scripts only in a fresh project directory, review generated package files, and consider pinning dependency versions or using lockfiles for reproducible builds.
It may be harder to verify exactly which package, fork, or version you are installing.
The bundled metadata uses a different slug and version than the registry entry under evaluation, which lists frontend-design-super version 1.0.1. This looks like a fork or stale metadata rather than malicious behavior, but it weakens provenance clarity.
"slug": "frontend-design-ultimate", "version": "1.0.0"
Confirm the publisher and homepage before installing, and maintainers should align the registry, SKILL.md, and _meta.json identity fields.