Is chyinan/terminal-ui-website-design safe?
https://github.com/openclaw/skills/tree/main/skills/chyinan/terminal-ui-website-design
The chyinan/terminal-ui-website-design skill is a comprehensive but purely passive design system reference covering colors, typography, spacing, components, animations, and dark mode. SKILL.md contains no prompt injection attempts, no instructions to access sensitive resources, and no malicious directives of any kind — only CSS variable definitions, HTML component patterns, and a standard browser-side theme toggle script. Install-time monitoring showed expected behavior: a single HTTPS connection to GitHub for the sparse checkout, no unexpected process spawning, and canary file accesses attributable entirely to the Oathe monitoring infrastructure rather than the skill itself.
Category Scores
Findings (3)
INFO Browser-side JavaScript in SKILL.md is benign theme toggle -3 ▶
A complete JavaScript IIFE is embedded in SKILL.md for toggling light/dark mode using localStorage and CSS data-theme attribute. The code is well-scoped, makes no network requests, reads no sensitive files, and is intended as a copy-paste reference for web developers building interfaces with the design system.
INFO Pre-install and post-install canary reads attributable to audit infrastructure -2 ▶
Both rounds of canary file accesses (.env, id_rsa, .aws/credentials, etc.) occurred outside the skill execution window — the first at 04:06:06 before cloning, the second at 04:06:29 during post-install canary integrity verification. The skill process tree (git-remote-https, git checkout, cp) shows no access to these files. Canary integrity report confirms all files remain unmodified.
INFO Single expected HTTPS connection to GitHub during install -2 ▶
The only external network connection during install was to GitHub (140.82.121.4:443) for the git sparse-checkout. The connection completed normally and reached TIME-WAIT state post-install. No additional DNS queries or outbound connections were initiated by the skill.