Desing mobile apps
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Sleek design integration, but it uses a Sleek API key and can change Sleek projects, so users should use limited scopes.
Install only if you intend to use Sleek's hosted design API. Create a narrowly scoped, revocable SLEEK_API_KEY, avoid sharing sensitive image URLs or design content, and require explicit confirmation before any project deletion or other destructive action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key has broad scopes, the agent can read and modify Sleek projects within those permissions.
The skill relies on a bearer token that delegates access to the user's Sleek account. This is expected for the integration, but the token's scopes determine what the agent can do.
**Auth**: `Authorization: Bearer $SLEEK_API_KEY` on every `/api/v1/*` request
Use a revocable Sleek API key with only the scopes needed for the current task, and avoid granting write/delete scopes unless they are required.
Using the wrong project ID or granting broad write scope could result in deleting a Sleek project.
The API reference includes a destructive project deletion endpoint. It is purpose-adjacent for project management and not presented as an automatic default, but it is still a high-impact action.
`DELETE` | `/api/v1/projects/:id` | `projects:write` | `Delete project`
Confirm the exact project and user intent before any delete operation; prefer read-only or narrowly scoped keys for design review tasks.
Sensitive images or private URLs included in requests may be exposed to Sleek's service for processing.
The skill discloses that URLs supplied in design messages may be fetched by Sleek's servers, creating a third-party data boundary for referenced images.
**Image URLs**: When using `imageUrls` in chat messages, those URLs are fetched by Sleek's servers. Avoid passing URLs that contain sensitive content.
Only provide image URLs that are safe to share with Sleek, and avoid private or credential-bearing URLs.
A user relying only on registry metadata may not realize the skill needs a Sleek API key and network access.
The registry metadata does not advertise the API key requirement that SKILL.md itself declares. This is a disclosure gap rather than hidden credential use because the skill document names SLEEK_API_KEY explicitly.
Required env vars: none ... Env var declarations: none ... Primary credential: none
Update the registry metadata to declare SLEEK_API_KEY and the Sleek host so the install surface matches the documented behavior.