ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shadcn Theme Default

v0.1.1

Enforces the default shadcn/ui Neutral theme (black/white/gray) with OKLCH CSS variables, Tailwind v4 integration, and dark mode support

0· 587·1 current·1 all-time
byGuilherme Favaron@guifav
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md content aligns with the stated purpose (modify CSS and Tailwind config to enforce a Neutral theme). However there are metadata inconsistencies: the registry header in the evaluation says 'Required binaries: none' and 'Homepage: none' while claw.json declares required bins ['node','npx'], a homepage (GitHub), a different version number (1.0.0 vs registry 0.1.1), and a filesystem permission. Requesting node/npx and filesystem access can be legitimate for a theming skill but the mismatch across sources is unexplained and should be clarified.
Instruction Scope
The SKILL.md limits actions to CSS/Tailwind files and includes an explicit planning protocol and a prohibition on reading .env/credential files. It instructs checking project CSS and Tailwind config files and making sequential changes; no external endpoints, credential access, or broad collection behavior is requested.
Install Mechanism
This is an instruction-only skill with no install spec or code files (low install risk). But claw.json claims runtime requirements (node, npx) and a skill dependency ('stack-scaffold'). Because there is no install spec, it's unclear whether the skill actually needs to run node/npx or invoke another skill that does—this inconsistency increases risk and should be resolved.
Credentials
The skill does not request environment variables or credentials and the SKILL.md explicitly forbids reading .env/credential files. The declared filesystem permission (in claw.json) is proportionate to a skill that edits project CSS/config files, but you should verify the exact scope of filesystem writes.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill requests filesystem permissions which are expected for making theme changes, but filesystem write capability is powerful—ensure it only modifies intended project files. The 'skillDependencies' on 'stack-scaffold' could cause the agent to scaffold or modify more files than just theme assets; clarify this behavior before granting access.
What to consider before installing
This skill appears to do what it claims (apply a Neutral shadcn/ui theme) and its runtime instructions are narrowly scoped to CSS and Tailwind config. However, metadata mismatches are a red flag: claw.json lists filesystem permission, node/npx runtime, a GitHub homepage, and a different version than the registry header. Before installing: (1) ask the publisher for the source repo link and verify the repository contents and release tag; (2) confirm why node/npx and the 'stack-scaffold' dependency are declared and what commands (if any) will be executed; (3) review which paths the skill will modify (preferably run it in a sandbox or branch and review diffs); and (4) refuse installation if the author cannot explain the metadata inconsistencies or provide a trustworthy source. If you proceed, grant minimal filesystem scope and use version control so you can revert changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751mwgyf1vzngd86ptdbjsq183fk9g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments