ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Frontend Design 3 0.1.0

v1.0.0

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when building web components, pages, or applications. Gener...

0· 145·10 current·10 all-time
by@mutsunico
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name, description, and SKILL.md all align: it instructs the agent to create production-grade frontend code. There are no declared dependencies, env vars, or installs — which is proportionate for a prompt/instruction-only design skill. However, registry metadata and the included _meta.json disagree on ownerId, slug, and version (registry shows ownerId kn77y7vk08sq0bh8qbrrgsyzjx8392vm / slug frontend-design-3-0-1-0 / version 1.0.0, while _meta.json contains ownerId kn780r0jztja96vfbt1wz9pas1808t9c / slug frontend-design-3 / version 0.1.0). This provenance mismatch is unexpected and reduces trust in the package's origin.
Instruction Scope
SKILL.md contains only design guidance and output requirements for generating HTML/CSS/JS/React/Vue code. It does not instruct reading system files, accessing environment variables, contacting external endpoints, or executing commands on the host. No instructions request or exfiltrate user data.
Install Mechanism
No install spec is present (instruction-only skill), so nothing is written to disk or downloaded during install. This is the lowest-risk install model and matches the skill's stated purpose.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate to an instruction-only frontend design generator and reduces risk of credential exposure.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has normal agent-invocation defaults. There is no indication it tries to gain persistent or elevated privileges.
What to consider before installing
The SKILL.md itself is coherent and low-risk: it only guides the AI to output frontend code and requires no installs or credentials. However, the package metadata is inconsistent (different ownerId, slug, and version inside _meta.json vs registry metadata) and the source/homepage is unknown. Before installing, verify the publisher: ask for the official source or repository, confirm the ownerId and version match, or prefer a skill with a traceable homepage/repo. If you proceed, treat outputs as untrusted code until reviewed—run generated code in a sandbox, check for external resource requests (fonts/CDNs) and licensing, and avoid providing any credentials or secret data to the skill. If the publisher can justify the metadata differences, this would raise confidence to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk9714v6vwqq992b4m2aapvcrg9838ztw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments