Front End Dev
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a normal front-end site-building skill; the main thing to watch is that its optional setup scripts install current npm packages when you run them.
This looks coherent for a front-end scaffolding/design skill. Before using it, review the shell scripts, run them without elevated privileges, use a clean project directory, and be comfortable with npm/npx downloading dependencies from the public package ecosystem.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When the user runs the setup script, third-party package code from the npm ecosystem may be downloaded and executed as part of project creation.
The setup script downloads and runs current npm/shadcn packages, including @latest versions rather than pinned versions. This is normal for front-end scaffolding, but it means the installed code can change over time.
npm create vite@latest "$PROJECT_NAME" ... npm install -D tailwindcss postcss autoprefixer ... npx shadcn@latest add button badge card accordion dialog navigation-menu tabs sheet separator avatar alert -y
Run the scripts only in a new or intended project directory, review the generated package files, and pin dependency versions or commit a lockfile before relying on the project for production.