Is itsjustdri/ui-ux-design safe?
https://github.com/openclaw/skills/tree/main/skills/itsjustdri/ui-ux-design
The itsjustdri/ui-ux-design skill is a benign, documentation-only UI/UX reference guide containing markdown files with design principles, Tailwind CSS patterns, accessibility guidelines, and Shadcn/ui component examples. No executable code, data exfiltration vectors, prompt injection directives, or malicious behaviors were identified in the skill content or installation process. The minor findings (external tool URL references, retained project-specific content, and bundled author metadata) are informational in nature and present negligible risk.
Category Scores
Findings (4)
INFO External tool URLs mentioned in guidance -7 ▶
SKILL.md and reference files mention third-party tools (Huevy.app, Coolors.co, Adobe Color, WebAIM Contrast Checker, Figma) as recommended resources. An agent with web-browsing capability may be prompted to navigate to these sites when following the skill's guidance.
INFO Project-specific content from original use case retained -3 ▶
DESIGN_SYSTEM.md and UI_UX_MASTER_GUIDE.md contain QuickPost-specific design decisions (purple brand color, upload flow) suggesting the skill was adapted from a private project. The content is benign but implies the skill was not authored from scratch for general distribution.
LOW Author's installed-skills metadata bundled with skill -3 ▶
The .clawhub/lock.json file was included in the skill bundle and reveals that the skill author had 'academic-research-hub' installed at publish time. This is an inadvertent metadata disclosure about the author's environment, not an attack vector against users.
INFO Post-install AWS connections from openclaw-gateway infrastructure -8 ▶
Two established TCP connections to 54.211.197.216:443 (AWS) appear in the post-install network diff, attributed to the openclaw-gateway process (pid=1089). This process was running before the install and is part of the audit execution infrastructure, not triggered by the skill content.