Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
awesome-demo-web-build
v1.0.1AI-native web demo project generator using Project Blueprint system. Use when user wants to "build a demo", "create a web project", "generate a landing page"...
⭐ 1· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (generate web demo projects) matches the instructions (use npx create-next-app, shadcn, install dependencies, inject DESIGN.md). However the skill declares no required binaries or environment variables even though the runtime instructions assume node/npm/npx, and network access to fetch external DESIGN.md and npm packages — a mismatch that should have been declared.
Instruction Scope
SKILL.md stays within the stated purpose (scaffold a project, inject design spec, generate components). It instructs the agent to perform network fetches (WebFetch) of DESIGN.md from raw.githubusercontent.com and to write DESIGN.md into the project root. Those are reasonable for the task but they permit downloading external content into generated projects and adding remote script tags (iconfont/Alibaba CDN), which increases supply‑chain/runtime risk.
Install Mechanism
There is no formal install spec (instruction-only), which minimizes direct disk changes by the skill itself. But the scaffolding commands invoke npx/npm which will download packages from public registries and third‑party CDNs at runtime — normal for scaffolding, but still a supply‑chain vector. The external sources used (npm packages, raw.githubusercontent.com, at.alicdn.com) are public and common, but the skill does not document or vet specific package versions.
Credentials
The skill requests no credentials or environment variables. That is proportionate to its purpose. There is no attempted access to unrelated config paths or secrets in SKILL.md. (Note: some recommended stacks may later require user credentials, e.g., Supabase or Stripe, but those are not requested by the skill itself.)
Persistence & Privilege
always:false and no install hooks are present. The skill does not request persistent presence, does not modify other skills, and does not declare self-elevation. It writes files into the scaffolded project only after explicit confirmation per the instructions.
What to consider before installing
This skill appears to be a legitimate web-project scaffolding guide, but take precautions before running the generated commands:
- The SKILL.md assumes you have node/npm/npx and network access; the skill metadata does not declare these requirements — install or confirm Node.js tooling first.
- The scaffolding commands run npx/npm which will download packages from npm and other registries. Inspect the generated package.json and node_modules before running or deploying the project.
- The skill fetches DESIGN.md files from raw.githubusercontent.com and suggests adding remote icon JS from at.alicdn.com; those external resources will be embedded in your project and may execute remote code at runtime. Prefer to review the downloaded DESIGN.md and avoid embedding remote script tags unless you trust the source.
- If you plan to run this on a sensitive machine or in CI, run the scaffold in an isolated/containerized environment, and review all fetched files and added dependencies.
If you want higher assurance, ask the publisher for explicit declarations of required binaries (node/npm), pinned package versions, and an allowlist of remote hosts the skill will fetch from.Like a lobster shell, security has layers — review code before you run it.
latestvk9757qm1se4wx9jn4kvp58m97x84jdvh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.