Skillv0.1.0

ClawScan security

Variant Design Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 11:36 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions align with its stated purpose (generating UI design variations); it is instruction-only, asks no credentials, and has no install steps — but it does instruct the agent to scan a user's codebase for brand/context, so be mindful of what project files you allow it to read.
Guidance: This skill appears to be what it claims: a design-variation generator using included references. Two practical cautions before installing/using it: 1) Codebase scanning: the skill explicitly says it will scan your project for colors, fonts, components, and README/brand docs if you don't provide context. Only allow this when you want the agent to access those files (e.g., in a project workspace). If you have sensitive code or secrets in the repository, do not allow an untrusted agent to scan it. 2) Review outputs before committing: the skill writes/export outputs (HTML/React, tokens). Inspect generated files for accidental inclusion of any secret strings or file contents you did not expect. The skill does not request external endpoints or credentials, but generated files could contain inferred brand text or data from your project. No install or credentials are required, so the main decision is whether you are comfortable granting the agent read-access to the project files it may scan to infer brand/context. If you want stricter limits, provide the design context manually rather than granting repo access.

Review Dimensions

Purpose & Capability: okName/description (generate UI design variations) match the provided assets and runtime instructions: design references, palettes, and actions are all design-related. No unrelated binaries, env vars, or external services are requested.
Instruction Scope: noteSKILL.md instructs the agent to gather project context and, if the user can't answer, to infer from the user's codebase (scan for color variables, font imports, component patterns, README/brand docs). Scanning a codebase is coherent with generating brand-consistent designs, but it means the agent will read project files — confirm consent and scope before allowing scans.
Install Mechanism: okNo install spec and no code files executed at runtime (instruction-only). This minimizes disk writes and arbitrary-code install risk.
Credentials: okThe skill requires no environment variables, credentials, or config paths. All declared needs (design references, palettes) are local files included in the skill bundle — proportional to the stated function.
Persistence & Privilege: okFlags show always:false and no special persistence. The skill will not be force-enabled and does not request system-wide configuration or other skills' credentials.