AIButton
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill appears to generate the promised AI button files, with the main caution that the generated button communicates with a parent web page and should be used only in a trusted host.
This skill is reasonable for generating Vision Node button control files. Before using the ZIP in a real project, review the generated index.html and deploy it only in a trusted parent page or iframe environment, especially if button messages can trigger real equipment or business actions.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the generated button is embedded in an untrusted page, that page could influence the button state or data messages.
The generated control listens for browser messages from its parent page and acts on event.data, but the shown pattern does not include origin/source validation. This communication is central to the stated iframe control purpose, so it is a note rather than a concern.
window.addEventListener('message', function(event) { if (event.data.type === 'Digital') { ID = event.data.num; } else if (event.data.type === 'Data') { MPV = event.data.value; processMPVData(); } });Use the generated control only inside the intended trusted Vision Node host, or add origin/source checks and message-shape validation before deployment.