ClawHub

Markdown-UI DSL: Zero-Hallucination UI Generation

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only UI wireframing skill is mostly purpose-aligned, but users should review any requested file synchronization before allowing it to edit project files.

This appears safe to install as an instruction-only UI DSL helper. Before using its sync features, check which file path the spec names, review the planned changes, and avoid autonomous or force-sync mode unless you trust the spec and have backups.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Low
What this means

If used for sync, the agent may change local frontend code or wireframe files, especially if the user approves the plan or requests force/autonomous operation.

Why it was flagged

The skill can direct the agent to edit or overwrite project UI files during synchronization. This is related to the UI-generation purpose and includes a default confirmation step, but users should understand that force/autonomous mode removes that safeguard.

Skill content
before making any file modifications or overwriting existing code/wireframes during a sync, explicitly inform the user of the planned changes and ask for visual confirmation to proceed. However, if the user explicitly instructs you to operate "autonomously", "without confirmation", or "force sync" in their prompt, you may bypass this check.
Recommendation

Review planned changes or diffs before approving sync, use version control/backups, and avoid force-syncing untrusted or unfamiliar UI specs.

#ASI01: Agent Goal Hijack
Info
What this means

A UI spec from someone else could influence generated layouts through blockquote hints.

Why it was flagged

The DSL intentionally makes certain text inside a UI spec influence the agent's layout decisions. This is expected for the skill, but untrusted specs could include misleading prompt-like hints.

Skill content
Standard Markdown blockquotes (`> text`) act as natural language layout hints. Apply these hints ... contextually to the closest container or element.
Recommendation

Review blockquote hints in imported `.ui.md` files, and do not treat untrusted specs as safe input for automatic code synchronization.