Back to skill
Skillv1.0.0
ClawScan security
Popular Web Designs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 7:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only collection of HTML/CSS design templates; its requested actions and files match its stated purpose and it does not ask for credentials, installs, or elevated persistence.
- Guidance
- This skill appears coherent and low-risk from a security/privilege perspective because it is a collection of design templates with no installs or credential requests. Before installing or using it, consider: 1) Operational exposure — the SKILL.md recommends serving generated pages via a cloudflared tunnel (generative-widgets); that will expose content to the network if you run it, so avoid serving private or sensitive data and review permissions for the service you use. 2) Intellectual property — templates explicitly emulate the visual identity of real companies; ensure you have the right to reproduce or publish look-alike pages (legal/risk concern, not a technical inconsistency). 3) External dependencies — templates include Google Fonts CDN links; if you require fully offline output, substitute or self-host fonts. If you want higher assurance, ask the author for provenance (source of templates and license) and a minimal example run to confirm the serving workflow and any external endpoints used.
- Findings
[no_regex_matches] expected: The regex-based scanner reported no findings. That's expected: the package is instruction-only and contains markdown templates rather than executable code for the scanner to analyze.
Review Dimensions
- Purpose & Capability
- okName/description (design templates) align with the provided assets: 54 markdown design templates and a SKILL.md that explains how to load and apply them. There are no unrelated environment variables, binaries, or installs requested.
- Instruction Scope
- noteSKILL.md instructs the agent to load templates, use write_file to create HTML, serve via the generative-widgets/cloudflared workflow, and verify with browser_vision. Those instructions are coherent for generating and previewing pages, but serving via a tunnel can expose generated pages publicly—users should be aware of operational exposure when following that part of the workflow.
- Install Mechanism
- okNo install spec or code is present. This is instruction-only (markdown templates), so nothing is written to disk by an installer and nothing is downloaded or executed automatically by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The SKILL.md references external CDNs (Google Fonts) for font links, which is expected for visual templates and proportional to purpose.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and does not require persistent privileges. It is user-invocable and may be invoked autonomously by the agent (platform default), which is expected behavior for skills.