ClawHub

UI Prototype Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent UI prototype generator with local HTML output by default and a disclosed optional Figma workflow that needs careful token and data handling.

Install is reasonable for local HTML prototype generation. Only configure a Figma token when you need Figma output, keep that token out of Git and shared logs, and do not send confidential screenshots or internal designs to Figma unless your project policy allows it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation describes capabilities to read local credential files, write generated artifacts to the workspace, and send data over the network, but it does not declare or constrain those permissions. This creates a transparency and governance gap: an operator or downstream agent may invoke file and network actions without explicit review, especially when credentials in auth-profiles.json are involved.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to enable Figma API usage and configure credentials, but it does not clearly warn that screenshots, descriptions, and generated prototype data may be transmitted to Figma, an external third-party service. In a UI prototyping skill, users may provide sensitive mockups or production screenshots, so omission of a disclosure increases the risk of unintended data exposure and compliance issues.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to place a Figma personal access token in a local auth-profiles.json file but does not warn that the token is a sensitive secret that must not be committed, shared, or logged. This can lead to accidental credential exposure through version control, screenshots, support requests, or copied config files, which would allow unauthorized access to the user's Figma account or workspace via the API.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill instructs saving generated HTML to the workspace but does not warn that it will create or overwrite files. Unexpected file creation is a side effect that can surprise users, pollute repositories, or overwrite existing artifacts if filenames are reused.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to provide a Figma access token and send prototype/design data to Figma, but it does not clearly warn about credential sensitivity, retention, scope, or the privacy implications of transmitting possibly proprietary UI designs to an external service. This increases the risk of token mishandling and unintentional data disclosure.

External Transmission

Medium
Category
Data Exfiltration
Content
4. **调用 Figma API**:
   ```python
   headers = {"X-Figma-Token": auth['access_token']}
   response = requests.post(
       "https://api.figma.com/v1/files",
       json={"name": "Prototype", "nodes": nodes},
       headers=headers
Confidence
95% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
4. **调用 Figma API**:
   ```python
   headers = {"X-Figma-Token": auth['access_token']}
   response = requests.post(
       "https://api.figma.com/v1/files",
       json={"name": "Prototype", "nodes": nodes},
       headers=headers
Confidence
95% confidence
Finding
requests.post( "https://api.figma.com/v1/files", json=

External Transmission

Medium
Category
Data Exfiltration
Content
```python
   headers = {"X-Figma-Token": auth['access_token']}
   response = requests.post(
       "https://api.figma.com/v1/files",
       json={"name": "Prototype", "nodes": nodes},
       headers=headers
   )
Confidence
94% confidence
Finding
https://api.figma.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal