Is frontend-design-ultimate safe?

https://clawhub.ai/kesslerio/frontend-design-ultimate

72
CAUTION

frontend-design-ultimate is a legitimate frontend scaffolding skill that creates React/Next.js projects with opinionated design guidelines. Its primary risks are architectural: shell scripts that install unpinned npm dependencies (supply-chain attack surface) and strong directive language that overrides agent defaults. No malicious intent detected, but the code execution surface area warrants caution.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 48/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

HIGH Unpinned npm dependency installation via shell scripts -35

init-vite.sh and init-nextjs.sh execute npm install and npx commands for 15+ packages without version pinning. This creates a supply-chain attack surface where a compromised or typosquatted package could execute arbitrary code via postinstall hooks.

HIGH Shell scripts execute arbitrary commands -17

Three shell scripts (init-vite.sh, init-nextjs.sh, bundle-artifact.sh) are designed to be run via bash. They create files, install packages, and modify project configuration. While individually each command is standard scaffolding, the aggregate effect is significant code execution.

MEDIUM Strong directive overrides for agent behavior -25

SKILL.md uses imperative language (BANNED, NEVER, DO) to override the agent's default design decisions. The agent is instructed to never use certain fonts, never use certain color schemes, and never use certain layouts — even if the user might want them.

MEDIUM Skill instructs agent to execute shell commands -13

The build workflow sections instruct the agent to run bash scripts and npm commands as part of normal operation, effectively getting the agent to execute code on the user's behalf without explicit per-command consent.

LOW External URL references in skill content -5

The skill references external URLs that an agent might fetch, including esm.sh for dependencies, ui.shadcn.com for documentation, and youtube.com embed patterns.

LOW Platform runtime accessed sensitive files during install -10

The OpenClaw runtime (not the skill itself) read .env, .aws/credentials, and auth-profiles.json during installation. While not attributable to the skill, this is noted as the skill's execution context has access to these files.

INFO JIT cache and temp files created during install -5

The OpenClaw runtime created JIT compilation cache files in /tmp/jiti/ and a gateway lock file in /tmp/openclaw-1000/. This is normal platform behavior.

INFO Skill is a fork/derivative of known community skills -10

The skill self-identifies as 'Based on Anthropic's frontend-design, web-artifacts-builder, and community frontend-design-v2 skills' — it is a derivative work, not an original creation. The provenance chain should be verified.