SuperDesign
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the generated UI uses these snippets, the page may fetch and run code from third-party CDN providers in the browser.
The skill recommends loading frontend libraries from third-party CDNs, including an unpinned '@latest' dependency. This is disclosed and purpose-aligned for frontend prototypes, but it creates a supply-chain consideration for generated pages.
<script src="https://cdn.tailwindcss.com"></script> ... <script src="https://unpkg.com/lucide@latest/dist/umd/lucide.min.js"></script>
Use pinned versions, integrity checks, or self-hosted assets for production; treat CDN snippets as acceptable mainly for prototypes or trusted contexts.