ClawHub
Back to skill
v1.0.0

Prototype Factory

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:34 AM.

Analysis

This is an instruction-only prototype-building skill with standard project setup guidance; users should just review third-party dependencies and avoid putting real credentials in handoff files.

GuidanceThis skill appears coherent and proportionate for building polished app prototypes. Before using it, review any generated package dependencies and stock assets, and make sure README or handoff files contain only demo credentials or placeholder keys—not real production secrets.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
flutter pub add google_fonts cached_network_image go_router lottie ... npm create vite@latest prototype -- --template react-ts ... npm install framer-motion tailwindcss @radix-ui/themes

The skill documents package-manager commands that fetch third-party dependencies for generated prototype projects.

User impactInstalling prototype dependencies can bring third-party code into the generated project.
RecommendationReview dependencies, generate lockfiles, and use trusted package registries before running or shipping the prototype.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Update `/README.md` with stack, commands, credentials, and feature tour.

The handoff instructions mention documenting credentials, which could be safe for demo accounts but risky if real secrets are placed in project files.

User impactReal API keys, passwords, or production credentials could be accidentally exposed in a README or project archive.
RecommendationUse dummy keys, demo accounts, or `.env.example` placeholders, and keep real secrets out of committed or zipped handoff files.