Back to skill
Skillv1.0.0
ClawScan security
primevue · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 13, 2026, 6:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only documentation bundle for the PrimeVue UI library and its requirements and instructions are consistent with that purpose.
- Guidance
- This bundle is documentation and examples for a Vue UI library and appears internally consistent. Before using the actual packages it references, verify you install them from the official npm registry or the vendor's site (check the package publisher and integrity), and prefer pinned versions. Be cautious when using third-party themes or CDN bundles—review their source and license. In your app, treat pass-through hooks and any functions injected into templates as executable JavaScript and review them for untrusted code (especially when using unstyled/pt functions or third-party presets). If you plan to use file upload examples, ensure the server endpoint (/api/upload or similar) is one you control and is secure. Overall the skill itself is documentation-only and does not ask for secrets or system access.
Review Dimensions
- Purpose & Capability
- okName/description match the included SKILL.md and reference docs. Required binaries/env/configs are none, which is appropriate for a documentation/instruction-only UI library skill. The npm packages and CDN references in the docs are consistent with a frontend UI toolkit.
- Instruction Scope
- okRuntime instructions are purely developer-facing examples (npm install, import statements, usage examples). They do not instruct the agent to access system files, secrets, or external endpoints beyond normal package registries and a CDN. Code examples show typical component usage and theming.
- Install Mechanism
- okThere is no install spec for the skill itself (instruction-only). The docs recommend installing packages from npm or using a CDN (unpkg), which is expected for this kind of library and does not create additional installer risk within the skill bundle.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. Package dependencies mentioned (primevue, @primeuix/themes, @primevue/forms, etc.) are appropriate for the stated functionality and there are no unexplained secrets or cross-service credentials.
- Persistence & Privilege
- okSkill flags show default privileges (always: false, agent invocation allowed). There is no request for permanent system presence or modification of other skills/configs.