Desing mobile apps
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key has broad scopes, the agent can read and modify Sleek projects within those permissions.
The skill relies on a bearer token that delegates access to the user's Sleek account. This is expected for the integration, but the token's scopes determine what the agent can do.
**Auth**: `Authorization: Bearer $SLEEK_API_KEY` on every `/api/v1/*` request
Use a revocable Sleek API key with only the scopes needed for the current task, and avoid granting write/delete scopes unless they are required.
Using the wrong project ID or granting broad write scope could result in deleting a Sleek project.
The API reference includes a destructive project deletion endpoint. It is purpose-adjacent for project management and not presented as an automatic default, but it is still a high-impact action.
`DELETE` | `/api/v1/projects/:id` | `projects:write` | `Delete project`
Confirm the exact project and user intent before any delete operation; prefer read-only or narrowly scoped keys for design review tasks.
Sensitive images or private URLs included in requests may be exposed to Sleek's service for processing.
The skill discloses that URLs supplied in design messages may be fetched by Sleek's servers, creating a third-party data boundary for referenced images.
**Image URLs**: When using `imageUrls` in chat messages, those URLs are fetched by Sleek's servers. Avoid passing URLs that contain sensitive content.
Only provide image URLs that are safe to share with Sleek, and avoid private or credential-bearing URLs.
A user relying only on registry metadata may not realize the skill needs a Sleek API key and network access.
The registry metadata does not advertise the API key requirement that SKILL.md itself declares. This is a disclosure gap rather than hidden credential use because the skill document names SLEEK_API_KEY explicitly.
Required env vars: none ... Env var declarations: none ... Primary credential: none
Update the registry metadata to declare SLEEK_API_KEY and the Sleek host so the install surface matches the documented behavior.