Is Magdoub/claude-wireframe-skill safe?

The skill instructs the agent to use the Explore agent to scan all CSS, JS, TS, JSX, TSX, HTML, PHP, ERB, EJS, HBS, Vue, and Svelte files across the entire project. While this serves the legitimate purpose of understanding design patterns, it grants the skill very broad read access to the codebase. A malicious modification to this skill could leverage this scanning to extract sensitive information.

The skill creates and reads wireframe/brain/design-context.md on every invocation. If an attacker could modify this file (e.g., through a supply chain attack on the project repo), they could inject prompt injection content that would be loaded into the agent's context on every subsequent wireframe command.

The skill assigns the agent a 'senior UX architect' persona and instructs it to create directories and write files without per-action user confirmation. This is standard for generative skills but represents a mild authority escalation.

The filesystem monitoring shows reads of .env, .aws/credentials, .openclaw/openclaw.json, .profile, and .bashrc. Analysis of the timing and context indicates these are from the audit environment's own tooling (openclaw gateway, jiti transpiler) initializing, not from the skill's git clone operation. The skill repo contains no executable code that could trigger these reads.

The skill instructs the agent to generate HTML files with inline JavaScript for interactivity (tabs, accordions, hover states). This JS runs in the user's browser when they open the wireframe, not during skill installation. The JS is generated by the agent per the skill's template, not supplied as static code by the skill author.

The skill's frontmatter includes 'disable-model-invocation: true', which prevents the skill from being automatically triggered by the LLM. It can only be invoked explicitly by the user via /wireframe. This reduces the risk of unintended activation.