Back to skill
Skillv4.6.0
ClawScan security
Huo15 Openclaw Frontend Design · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 5:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, examples, and runtime instructions are coherent with a frontend/design starter kit and do not request unexplained credentials, installs, or system access.
- Guidance
- This skill appears to be a coherent frontend design starter pack with examples and an a11y/self‑verify workflow. Before installing or running: 1) be aware the self‑verify steps assume access to a browser and developer tools (Playwright, Lighthouse, axe‑core) or a browser session where you may sign into a third‑party model UI (e.g., 'Claude in Chrome MCP'); install those tools separately and avoid pasting secrets into browser prompts. 2) The HTML examples load Google Fonts (fonts.googleapis.com) when rendered — if you have privacy constraints, host fonts locally. 3) If you run any supplied scripts or follow the self‑verify automation, review the exact commands in references/self-verify.md and run them in a controlled environment (CI or VM) to avoid unexpected network or system interactions. 4) No environment variables or credentials are required by the skill package itself; treat any prompt to provide API keys or tokens as outside the declared behavior and verify before supplying.
Review Dimensions
- Purpose & Capability
- okName/description promise high‑fidelity UI starters, design tokens, multi‑genre examples, and an accessibility self‑verify workflow; the repository contains matching assets (HTML examples, mini‑program starters, token JSON, and references). There are no unrelated credentials, binaries, or odd config path requirements.
- Instruction Scope
- noteSKILL.md describes a self‑verify workflow that prefers 'Claude in Chrome MCP' and falls back to Playwright CLI, browser devtools, and axe‑core/Lighthouse audits. Those instructions are within the skill's stated verification goal but assume the agent/environment has browser access, Playwright/Lighthouse/axe installed, or the user will run IDEs. It does not instruct reading unrelated system files or exfiltrating secrets, but it does imply running developer tools and possibly connecting to external model UIs (browser).
- Install Mechanism
- okThis is an instruction‑only skill with no install spec; no downloads, package installs, or extracted archives are requested. Example files are static and included in the package.
- Credentials
- okThe skill declares no required environment variables, no primary credential, and no config paths. The self‑verify workflow references third‑party tools and browser‑based model sessions but does not request secrets or credentials in the skill metadata.
- Persistence & Privilege
- okFlags show normal defaults: always:false, user‑invocable:true, and model invocation allowed (default). The skill does not request permanent presence or system‑level configuration changes.