Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
pageclaw
v1.0.0Use when the user wants to turn a page-story markdown file (page-story-*.md) into a polished static HTML page. Trigger for: personal pages, academic homepage...
⭐ 0· 102·0 current·0 all-time
byYing Xiao@xy-showing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: the skill orchestrates design-questioning, a design-system step, plan generation, build, and quality passes. However: the repository files include Python scripts (ui-ux-pro-max) and README/prerequisite notes that explicitly require Python 3, while the registry metadata declares no required binaries. Also the registry top-level metadata listed 'Source: unknown / Homepage: none' but SKILL.md and README embed a GitHub homepage URL (https://github.com/XY-Showing/pageclaw). These mismatches suggest the metadata in the registry may be incomplete or inconsistent with the packaged files.
Instruction Scope
Runtime instructions stay on-topic: they read a page-story, ask a few questions, optionally fetch up to two pages from a user-provided reference URL (uses WebFetch), invoke other internal sub-skills (teach-impeccable, ui-ux-pro-max, polish, audit), and write docs/plans and index.html into the project. This behavior is coherent with the stated purpose. Notes of caution: (1) the skill will perform network fetches of user-supplied reference URLs and analyze HTML/CSS (allowed but network I/O happens). (2) It will write files into the current working directory (page-story.md, index.html, docs/plans/...), and will copy a starter template from ~/.claude/skills/page-claw/page-story-starter.md into the user's directory if no story is found — these file operations are expected but worth knowing.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the package contains numerous code files (Python scripts, datasets). The README suggests cloning from GitHub and copying files into ~/.claude/skills; it also lists Python 3 as a prerequisite. The lack of an install declaration combined with bundled scripts is a mismatch: if the skill depends on Python scripts in ui-ux-pro-max, the environment must provide Python, yet the registry declares no binaries. This is a proportionality/information gap rather than an explicit malicious install URL, but it increases the chance of runtime errors or hidden behaviors if those scripts are executed by an agent with file system/python access.
Credentials
The skill does not request any environment variables or credentials (none declared). That aligns with the declared purpose. However, the included code and README imply local tooling (Python 3) and sub-skill inter-dependencies (Impeccable, UI/UX Pro Max). If you run the full pipeline, those scripts may access local files in the skill bundle and write outputs to the project. There are no obvious requests for unrelated secrets or cloud credentials.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills' configs in the provided instructions. It will create and write files in the user's current working directory (page-story.md, index.html, docs/plans/...), and it references a path under ~/.claude/skills for its template. Writing project files is expected for this purpose; nothing indicates it will persist beyond normal file outputs or alter system-wide agent settings.
What to consider before installing
This skill appears to implement the advertised pipeline, but the package contains Python scripts while the registry metadata claims no binary requirements — expect to need Python 3 (and to place the skill files in your agent's skills directory) to run the design-system parts. Before installing/running: (1) verify the skill source (the SKILL.md and README reference a GitHub repo; confirm that URL and review the repo). (2) Inspect the included scripts (skills/ui-ux-pro-max/scripts/*.py) for any network endpoints, external calls, or unexpected filesystem access if you plan to run them. (3) Be aware the skill will create files in your current directory and under docs/plans and may fetch up to two pages from any reference URL you supply — avoid giving it private/internal URLs. (4) If you have security concerns, run the skill in an isolated environment (or review/execute only the markdown-guided steps and avoid executing bundled scripts). (5) If you need higher assurance, ask the publisher for a signed source or an official release on a repo you trust; the registry's top-level metadata inconsistencies (homepage/source) lower confidence in provenance.Like a lobster shell, security has layers — review code before you run it.
latestvk97bwzzm8jyfzmms89nf6ent7d833mnd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.