UI/UX Design and Development

Generate and serve live HTML/CSS/JS UI designs from natural language prompts. Use when the user asks to design, create, build, or prototype a website, landing page, UI, dashboard, web page, or frontend mockup. Also triggers on requests to update, tweak, or iterate on a previously generated design. Replaces traditional UI design + frontend dev workflow.

This skill otherwise appears coherent for generating and previewing front-end prototypes, but the included scripts require root and several system binaries that are not declared. Before installing or running it: - Inspect the scripts yourself. setup.sh will run sudo, create /var/www/ui-designer, write an nginx site file to /etc/nginx/sites-available, link it to sites-enabled, and reload nginx — this can overwrite or interfere with existing web sites and requires root. If you do not want system-wide changes, do not run setup.sh as-is. - Ensure required binaries are present or run in an isolated environment: headless chromium (for screenshot.sh), cwebp (for convert-image.sh), numfmt/stat variants, nginx. If you lack these, the scripts will fail. - Prefer running the workflow inside a disposable VM or container (or change the serve_dir to a directory you control and avoid using sudo) so the skill can't modify system nginx or other host services. - Be cautious about TOOLS.md: SKILL.md tells the agent to save config there — confirm what file that is in your environment to avoid overwriting tool or agent config files. - If you plan to allow the skill to run autonomously, require stricter limits: remove sudo from setup.sh, expose a non-privileged serve directory (e.g., in your home), or provide a documented install step that the admin performs manually. - Ask the publisher for a list of explicit prerequisites (packages and permissions), and for a version of setup.sh that runs without sudo or that only outputs the suggested nginx config for manual review and install. What would change this assessment: an updated manifest declaring required binaries and permissions, a non-privileged setup mode (no sudo or system nginx modification), or explicit instructions to run setup only manually with admin review. Without those, the skill is suspicious because it performs undeclared privileged actions.

Type: OpenClaw Skill Name: ui-ux-dev Version: 1.0.0 The skill bundle is suspicious due to multiple shell injection vulnerabilities. The `SKILL.md` instructs the AI agent to execute shell scripts (`scripts/setup.sh`, `scripts/screenshot.sh`, `scripts/convert-image.sh`, and `zip`) with parameters derived from user input. Critically, `scripts/setup.sh` contains an unquoted expansion of `$PORT` and `$SERVE_DIR` within an Nginx configuration heredoc, allowing arbitrary command injection when `sudo nginx -t` and `sudo systemctl reload nginx` are executed. Other scripts also present shell injection risks if the AI agent does not properly sanitize user-controlled inputs before passing them as arguments. Additionally, `scripts/screenshot.sh` uses `chromium` with the `--no-sandbox` flag, which reduces security. While these are severe vulnerabilities that could lead to Remote Code Execution, there is no clear evidence of intentional malicious behavior such as data exfiltration or persistence.