Variant Design Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only UI design skill, with only minor notes about reading project design context and persisting that context for consistency.
This appears safe for normal use as a UI design-generation aid. Before installing, be aware that it may read project styling/component docs to infer brand context and may write that context into generated files or conversation history; review those details if your project contains confidential information.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may look at project files to match the generated designs to your existing brand and UI patterns.
The skill asks the agent to inspect local project files to infer design context. This is purpose-aligned for UI generation and includes user confirmation, but users should know it may read parts of their codebase.
If the user can't answer, infer from their codebase: scan for existing color variables, font imports, component patterns, and README/brand docs. Confirm inferences before proceeding.
Use it in projects where reading style, component, and README/brand files is acceptable, and review the inferred context before allowing generation.
Design preferences or project details may be written into generated files or reused later in the conversation.
The skill explicitly stores project design context for reuse. This supports consistency, but persisted context can carry sensitive project details or stale assumptions into later generations.
Persist context as a comment block at the top of generated files or in the conversation — reference it in every subsequent generation to ensure consistency across variations.
Avoid including secrets or confidential business details in the design context, and review any generated comment blocks before committing files.
It may be harder to verify the publisher or canonical project location from registry metadata alone.
The registry metadata does not provide a clear source or homepage, although the README includes a GitHub install command. Because this is instruction-only and no executable code is present, this is a provenance note rather than a security concern.
Source: unknown; Homepage: none
Install only from a trusted registry entry or repository, and compare the README/SKILL.md contents with the source you intend to use.