Skillv1.0.0

ClawScan security

Web Artifacts Builder Anthropic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 5:35 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (generating React/Tailwind/shadcn artifacts) matches the scripts, but there are important inconsistencies: required binaries and a local components tarball are not declared, and the scripts perform global installs and network package installs — review before running.
Guidance: Things to check before installing/using this skill: - Confirm you have Node.js >=18 and pnpm available; the skill's metadata does not declare these but the scripts require them. If you're missing pnpm the init script will try to run npm -g install which modifies your system. - The init script expects a local file scripts/shadcn-components.tar.gz (the included manifest does not contain this tarball). Ask the publisher where that tarball comes from and inspect its contents before extraction. - The scripts will run network package installs (pnpm add / pnpm install) and write project files in the current directory. Run them in an isolated directory, container, or disposable VM if you are unsure. - Review the contents of the tarball and package.json (after scaffold) for any unexpected external endpoints or postinstall scripts before running builds. - If you want to proceed, prefer running the scripts manually (not granting autonomous execution) and step through each command so you can audit global installs and file changes.

Review Dimensions

Purpose & Capability: concernThe skill claims to scaffold and bundle React + shadcn/ui artifacts, which matches the included init and bundle scripts. However the registry metadata declares no required binaries, while the scripts clearly require Node (>=18), pnpm (and npm to install pnpm if missing), tar, and standard build tools. The lack of declared required binaries is an incoherence that could surprise users.
Instruction Scope: concernSKILL.md instructs the agent to run scripts/init-artifact.sh and scripts/bundle-artifact.sh which: create a new project directory, modify configuration files (tsconfig, vite.config.ts, tailwind config), extract a local tarball of components, install many npm/pnpm packages, and build+inline assets. The init script expects a local file shadcn-components.tar.gz in the scripts directory — that tarball is not present in the manifest provided. The instructions do not attempt to read unrelated secrets, but they do perform broad filesystem changes and network installs.
Install Mechanism: noteThere is no formal install spec (instruction-only), so the only install behavior is what the scripts execute at runtime. Those scripts run npm -g to install pnpm if missing and use pnpm to install many dev/runtime packages (parcel, shadcn dependencies). Network package installs and optional global npm installs are expected for a project generator but are intrusive; there are no downloads from unknown personal servers in the scripts themselves (the components are expected locally).
Credentials: noteThe skill declares no required environment variables or credentials, which aligns with its stated offline scaffolding purpose. However, it implicitly requires system tools and permissions (node, npm, pnpm, tar, ability to install global npm packages). Those implicit requirements are not declared and may require elevated privileges or change system state.
Persistence & Privilege: noteThe skill is not always-enabled and does not modify other skills or agent-wide settings. The main persistence/privilege concern is that the init script can install pnpm globally (npm -g) and will write files into the current working directory — these are local/system changes but do not change agent configuration.