Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
UI / UX
v1.0.0Searchable UI/UX design databases: 50+ styles, 97 palettes, 57 font pairings, 99 UX rules, 25 chart types. CLI generates design systems from natural language. Data-driven complement to ui-design.
⭐ 0· 1.4k·5 current·7 all-time
by@wpank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, CSV data files, and CLI examples align with a UI/UX design-data + generator tool. However, the skill metadata lists no required binaries while the SKILL.md explicitly requires Python 3 for the CLI — that's an inconsistency. The README also contains 'npx add https://github.com/...' lines (a repo tree URL), which is an odd install hint and should be verified against the registry's actual install mechanism.
Instruction Scope
Runtime instructions direct the agent/user to run python3 scripts/search.py and to persist generated design systems (creating design-system/MASTER.md and a pages/ folder). This is consistent with a CLI tool, but it grants the skill broad discretion to write files under the working directory and read the bundled CSV datasets. The SKILL.md does not instruct network calls, but the included Python scripts could contain network I/O or other operations — the instructions give the skill permission to execute local code without declaring that in metadata.
Install Mechanism
There is no formal install spec in the registry entry, yet the package contains executable scripts and the README shows various install commands (npx clawhub install and an 'npx add https://github.com/...' line). The GitHub URL in README is a repo tree link rather than a clear release archive — this is unusual and worth confirming. Because code files (scripts/*.py) are included and expected to be executed, the absence of a declared install step or verified release artifacts increases the surface for supply-chain risk.
Credentials
The skill requests no environment variables, credentials, or config paths in metadata and the SKILL.md does not ask for secrets. That is appropriate for a local design-data CLI. The only missing piece is that Python 3 is required but not listed under required binaries in registry metadata.
Persistence & Privilege
always:false and no elevated privileges are requested. The skill will persist files into a local design-system/ directory by default, which is within expected scope. However, the skill includes manual install instructions that copy files into dotfile directories (~/.ai-skills, ~/.cursor/skills, .claude/skills), which implies it expects filesystem write access to user home and project directories — normal for a CLI but worth being explicit about.
What to consider before installing
This skill appears to be a locally run Python CLI that uses bundled CSV databases to generate design systems — that matches its description. However before installing or running it you should: 1) Inspect the Python scripts (scripts/search.py, core.py, design_system.py) for any network requests, remote endpoints, or unexpected filesystem access. 2) Confirm the install source/provenance (who published it and whether the GitHub URL in the README is legitimate). 3) Because SKILL.md requires python3 but the registry entry doesn't list python as a required binary, ensure you run the CLI in a controlled environment (virtualenv or container) and not with elevated privileges. 4) If you plan to use the persistence features, be aware the tool will write files under the current project and the README suggests copying files into ~/.ai-skills or other home directories — only do that after manual review. If you cannot review the scripts yourself, run them in an isolated sandbox or ask the publisher for a signed release or source repository to review.Like a lobster shell, security has layers — review code before you run it.
latestvk973zka3nkzdp4dhr0qxzpmje980x250
License
MIT-0
Free to use, modify, and redistribute. No attribution required.