Lanhu Design
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: lanhu-design Version: 1.0.1 The skill is a legitimate wrapper for the 'lh-design' CLI tool, used to download UI assets from the Lanhu design platform. It follows good security practices by explicitly instructing the agent not to perform automatic remote installations of the CLI and correctly identifies that authentication (LANHU_COOKIE) must be provided by the user. No evidence of data exfiltration, malicious execution, or prompt injection was found in SKILL.md or _meta.json.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run a separately installed tool whose behavior depends on the version and source the user installs.
The skill's core capability depends on an external CLI that is not included in the submitted artifacts and has no pinned install spec, so its implementation was not reviewed here.
Use the `lh-design` CLI from `xuwenxindeai/lanhu-design-reader`.
Install lh-design only from a trusted source, review its README/source if possible, pin a known version, and avoid running any installer commands you do not understand.
Anyone or any tool with access to these cookies may be able to access private Lanhu design content available to that session.
The skill requires Lanhu/DDS session cookies to access authenticated design data. This is purpose-aligned, but cookies can grant account access and may persist on disk.
The user must provide `LANHU_COOKIE` via shell env, a local `.env`, or `~/.lanhu-design-reader/.env`. If DDS schema reads need a separate login state, use `DDS_COOKIE`.
Use the least-privileged or temporary session possible, protect any .env file permissions, do not paste cookies into shared chats/logs, and rotate cookies if exposure is suspected.