by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be a locally run Python CLI that uses bundled CSV databases to generate design systems — that matches its description. However before installing or running it you should: 1) Inspect the Python scripts (scripts/search.py, core.py, design_system.py) for any network requests, remote endpoints, or unexpected filesystem access. 2) Confirm the install source/provenance (who published it and whether the GitHub URL in the README is legitimate). 3) Because SKILL.md requires python3 ...详细分析 ▾
ℹ 用途与能力
Name/description, CSV data files, and CLI examples align with a UI/UX design-data + generator tool. However, the skill metadata lists no required binaries while the SKILL.md explicitly requires Python 3 for the CLI — that's an inconsistency. The README also contains 'npx add https://github.com/...' lines (a repo tree URL), which is an odd install hint and should be verified against the registry's actual install mechanism.
⚠ 指令范围
Runtime instructions direct the agent/user to run python3 scripts/search.py and to persist generated design systems (creating design-system/MASTER.md and a pages/ folder). This is consistent with a CLI tool, but it grants the skill broad discretion to write files under the working directory and read the bundled CSV datasets. The SKILL.md does not instruct network calls, but the included Python scripts could contain network I/O or other operations — the instructions give the skill permission to execute local code without declaring that in metadata.
ℹ 安装机制
There is no formal install spec in the registry entry, yet the package contains executable scripts and the README shows various install commands (npx clawhub install and an 'npx add https://github.com/...' line). The GitHub URL in README is a repo tree link rather than a clear release archive — this is unusual and worth confirming. Because code files (scripts/*.py) are included and expected to be executed, the absence of a declared install step or verified release artifacts increases the surface for supply-chain risk.
✓ 凭证需求
The skill requests no environment variables, credentials, or config paths in metadata and the SKILL.md does not ask for secrets. That is appropriate for a local design-data CLI. The only missing piece is that Python 3 is required but not listed under required binaries in registry metadata.
ℹ 持久化与权限
always:false and no elevated privileges are requested. The skill will persist files into a local design-system/ directory by default, which is within expected scope. However, the skill includes manual install instructions that copy files into dotfile directories (~/.ai-skills, ~/.cursor/skills, .claude/skills), which implies it expects filesystem write access to user home and project directories — normal for a CLI but worth being explicit about.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/10
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install ui-ux
镜像加速npx clawhub@latest install ui-ux --registry https://cn.longxiaskill.com