Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Design MD Generator
v1.0.0Generate DESIGN.md files from any website URL. Extracts the complete visual design system — colors, typography, spacing, components, shadows — into a structu...
⭐ 0· 56·0 current·0 all-time
by@wavmson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill really does what it claims: it captures a site and extracts CSS tokens to produce a DESIGN.md. However, the package claims no required binaries/env but includes a Node script that requires Node and the Puppeteer library (which pulls a headless Chromium). Not declaring these runtime requirements is an incoherence: a legitimate design-extraction tool would need Node/Puppeteer or a platform browser, so the omission should be fixed or documented.
Instruction Scope
SKILL.md gives a narrow, well-scoped runtime procedure: use the platform browser to screenshot/snapshot and run the included extraction script to collect computed styles, CSS vars, fonts, spacings, and shadows. The script only inspects DOM/computed styles and writes structured JSON; it does not call external endpoints or exfiltrate data. It does iterate document.styleSheets and computed styles (which is necessary to find tokens) — that can reveal any styles present on the page, but this is consistent with the stated purpose.
Install Mechanism
There is no install spec (instruction-only), which is low risk, but the included scripts rely on Puppeteer. If Puppeteer/Chromium are not present, the extraction will fail or installing Puppeteer will trigger a large Chromium download. The repository does not declare or vendor dependencies (no package.json), so the runtime environment must already provide Node + Puppeteer or the user must install them manually — an operational omission that could lead to unexpected downloads/executables.
Credentials
The skill requests no environment variables or credentials. The extraction script writes output to a filesystem path (default /tmp/design-tokens.json). It accesses only the target URL's DOM and styles (title, URL, computed styles, CSS custom properties). There are no hard-coded remote endpoints or secret-typed env variables requested. This is proportionate to the purpose.
Persistence & Privilege
The skill does not request persistent system presence; always:false. It does write an output file and spawns a headless browser process while running, which is normal for this task. It does not modify other skills or system-wide configs.
What to consider before installing
This skill appears to do what it says (scrape a site's computed styles and output tokens), but there are operational and privacy details to check before installing: 1) The package omits runtime requirements — you need Node and the Puppeteer package (which typically downloads Chromium). Be prepared for that download or run in an environment where Puppeteer/Chromium are already available. 2) The extractor loads the target URL in a headless browser and inspects the DOM and styles; do not point it at private/internal sites or pages containing sensitive info unless you understand the privacy implications. 3) The script writes a JSON file (default /tmp/design-tokens.json); you may want to change the output path if running in a shared environment. 4) If you need higher assurance, request the author add a package.json with pinned dependencies or a documented install step, and remove the duplicate 'browser tool' + Puppeteer navigation in the workflow (currently both are used). If these operational issues are acceptable and you trust the source, the skill is usable; otherwise ask the publisher for clearer dependency and installation instructions before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk97ajb57877py39xs0k8wr49hn84bd73
License
MIT-0
Free to use, modify, and redistribute. No attribution required.