Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Anthropic Frontend Design
v1.1.0Create distinctive, production-grade frontend interfaces that avoid generic "AI slop" aesthetics. Combines the design intelligence of UI/UX Pro Max with Anthropic's anti-slop philosophy. Use for building UI components, pages, applications, or interfaces with exceptional attention to detail and bold creative choices.
⭐ 0· 2.8k·11 current·11 all-time
by@qrucio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to produce opinionated frontend design output and includes many CSV design-data assets and Python scripts (search.py, design_system.py, core.py) which fit that purpose. However, the SKILL.md explicitly instructs running python scripts, yet the declared 'required binaries' list is empty — that's an incoherence between what the skill expects at runtime and what the metadata declares. Either Python should be declared as required or the instructions should not assume a python runtime.
Instruction Scope
The SKILL.md instructions focus on design tasks (gather palettes, fonts, UX guidelines) and call local scripts (python scripts/search.py). The instructions do not request unrelated system files, credentials, or external endpoints in prose. That scope is consistent with the stated purpose. Note: the runtime behavior depends on what the included Python scripts do — the instructions cause code execution.
Install Mechanism
There is no install spec (low install risk). However, the package contains executable Python scripts and many data files, so running the skill will execute bundled code. Because no install step is provided, the environment is expected to already have Python and any needed libs; this expectation is not declared in metadata, which is a mismatch and can confuse users or cause unexpected failures.
Credentials
The manifest declares no required environment variables or credentials and the SKILL.md doesn't ask for secrets. That is appropriate for a design tool. But the presence of non-trivial scripts means they might still access the network, read environment variables, or call system commands — those actions are not visible in the manifest. You should review the Python sources for uses of os.environ, subprocess, socket/requests/urllib, or other I/O before granting runtime access.
Persistence & Privilege
The skill is not force-included (always: false) and is user-invocable (normal). There is no indication it requests persistent system-wide privileges or modifies other skills' configurations. Autonomous invocation is allowed (platform default); that increases the blast radius only if the code performs unexpected remote or credential access.
What to consider before installing
This package mostly looks like an opinionated frontend design assistant that uses local Python scripts and CSV data. Before running it, do the following: (1) Confirm the environment has Python and any required libraries, or ask the author to declare required binaries/dependencies. (2) Inspect the Python files (scripts/search.py, core.py, design_system.py) for any network calls, subprocess usage, or reads of environment variables or sensitive paths (look for requests/urllib/socket/subprocess/os.environ/open). (3) If you can't review the code, run it in an isolated/sandboxed environment or container, not on a laptop with credentials. (4) Ask the publisher for a homepage or source repo and for a clear dependency list (python version, pip packages). The primary incoherence is that SKILL.md assumes 'python' is available but the metadata doesn't declare any required binaries — that should be resolved before trusting execution.Like a lobster shell, security has layers — review code before you run it.
latestvk97d43q7bpyay6p2z3pnfphjj580n1h6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.