Is felipeoff/ant-design-skill safe?

https://github.com/openclaw/skills/tree/main/skills/felipeoff/ant-design-skill

95
SAFE

The felipeoff/ant-design-skill is a legitimate, well-structured Ant Design React UI development skill containing documentation, code patterns, protocol files for LLM-assisted code generation, and a starter project template. No prompt injection, data exfiltration, or malicious code execution mechanisms were detected; all canary files remained intact and no sensitive files were accessed during installation. The only notable findings are low-severity: strong LLM output directives in the protocols/ files (which enforce code quality, not adversarial behavior) and a bundled npm starter project that could trigger dependency downloads if an agent actively invokes it.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 98/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 92/100 · 5%

Findings (4)

LOW Aggressive LLM output directives in protocol files -5

protocols/OUTPUT_CONTRACT.md and protocols/UI_SPEC.md contain structured imperatives ('MUST', 'MUST NOT', 'REQUIRED') intended to control how an LLM generates code when these files are read. The intent appears to be enforcing code quality standards (no placeholder code, full file output, TypeScript compilation), not adversarial override. However, these directives do attempt to shape agent behavior beyond what SKILL.md declares.

LOW Bundled runnable npm project in starter/ -3

The starter/ directory is a complete Vite project scaffold. If an agent follows skill instructions to use it ('Use starter/ when you need a runnable Vite + React + AntD skeleton'), it may run npm install pulling ~50 external packages. No lifecycle hooks are present that would auto-execute on install, so risk is contingent on agent actively invoking npm.

INFO GNOME session initialized during audit VM startup 0

Filesystem monitoring captured extensive GDM/PAM/GNOME session initialization activity (reading /etc/passwd, /etc/shadow, /etc/group, /etc/pam.d/*, keyrings). This is normal VM boot activity unrelated to the skill under test.

INFO Accidentally committed .clawhub/lock.json reveals developer environment -1

The lock.json shows the skill author had 'academic-research-hub' installed when they committed this file. Not a security risk to end users but indicates sloppy hygiene about what gets committed to the public repo.