Is ui-ux-pro-max safe?

https://clawhub.ai/xobi667/ui-ux-pro-max

68
CAUTION

This UI/UX design skill provides legitimate design system generation capabilities through bundled Python scripts and CSV data files. However, the install process exhibited concerning behavior by accessing sensitive files outside the skill directory — including .aws/credentials, .env, and auth-profiles.json — which a UI/UX design tool has no legitimate reason to read. While no outbound network exfiltration was detected during the monitored period, the credential access pattern combined with the gateway lock file creation raises the risk that harvested credentials could be staged for later exfiltration.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 45/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (11)

CRITICAL AWS credentials accessed during install -25

The skill's install process opened and read /home/oc-exec/.aws/credentials. A UI/UX design skill has no legitimate reason to access AWS credential files. This could be credential harvesting behavior.

HIGH .env file accessed during install -10

The install process read the user's .env file which commonly contains API keys, database credentials, and other secrets.

HIGH Auth profiles accessed during install -10

The install process read OpenClaw authentication profiles containing tokens or credentials.

MEDIUM Sensitive file enumeration during clone -35

Multiple sensitive files (.env, .aws/credentials, .profile, .bashrc, openclaw.json, auth-profiles.json) were systematically accessed in rapid succession during install, suggesting automated credential/config enumeration rather than incidental access.

MEDIUM Gateway lock file created in /tmp -10

A lock file /tmp/openclaw-1000/gateway.e9191928.lock was created and modified during install, suggesting an attempt to establish a gateway or communication channel.

MEDIUM Skill instructs agent to execute Python scripts -25

SKILL.md explicitly directs the agent to run 'python3 skills/ui-ux-pro-max/scripts/design_system.py --help' and the scripts have file-writing capabilities including arbitrary directory creation via --output-dir parameter.

MEDIUM Skill directs agent to execute bash commands -18

The skill instructs the agent to run Python scripts via bash, which crosses the boundary from pure prompt/data guidance into code execution territory. While the scripts appear benign in content, this pattern creates an execution vector.

LOW Extensive agent behavioral instructions -10

The skill provides detailed multi-step workflow instructions that shape agent behavior, including triage questions, output standards, and pre-delivery checklists. While appropriate for a UI/UX skill, these are moderately directive.

LOW File writing to arbitrary directories -15

The persist_design_system() function can write files to any directory specified by --output-dir, defaulting to Path.cwd(). While intended for design system output, this could be directed to overwrite configuration files.

INFO JIT-compiled JavaScript files created in /tmp 0

Multiple .cjs files were created in /tmp/jiti/ during install. These appear to be OpenClaw platform runtime artifacts (memory-core, plugin-sdk, channels-registry) rather than skill-originated, but their creation during skill install is notable.

INFO Canary files intact 0

All honeypot/canary files remained unmodified, indicating the skill did not attempt to tamper with or exfiltrate data via the canary mechanism.