Web Design Guidelines
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is simple and non-persistent, but it fetches an unpinned remote GitHub file and tells the agent to follow that file’s instructions during reviews.
Before installing, verify that you trust the remote GitHub guideline source and consider using it only on intended project files. The safer version would pin or bundle the guidelines instead of fetching mutable instructions each time.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote guideline file changes unexpectedly or is compromised, it could steer the agent away from the user’s intended review behavior while the agent is reading project files.
The skill instructs the agent to treat remotely fetched content as operational instructions, including output-format instructions, rather than only as reference data.
Use WebFetch to retrieve the latest rules. The fetched content contains all the rules and output format instructions.
Pin the guidelines to a reviewed commit or vendor the guideline text into the skill; if fetching remains necessary, instruct the agent to treat fetched text as untrusted reference material and ignore any commands unrelated to UI review.
Users may get different review behavior over time even when the installed skill version has not changed.
The skill depends on a mutable remote file from the main branch, so its effective behavior can change without a registry version update.
Fetch fresh guidelines before each review: https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md
Prefer a pinned commit/tag or include a reviewed copy of the guidelines with the skill, and disclose when live network fetching is required.