Security Audit

frontend-design

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

frontend-design received a trust score of 87/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Unpinned Tailwind CSS CDN dependency, Unpinned Lucide Icons CDN dependency.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

86%

Behavioral Risk Signals

Network Access

2 findings

Dynamic Code

2 findings

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Unpinned Tailwind CSS CDN dependency The skill recommends importing Tailwind CSS via an unpinned CDN link (`https://cdn.tailwindcss.com`). This URL always serves the latest version, which introduces a supply chain risk. If the CDN or the upstream project is compromised, or if a new version introduces breaking changes, it could lead to unexpected behavior or the injection of malicious code into applications generated using this skill. Pin the Tailwind CSS CDN dependency to a specific version (e.g., `https://cdn.tailwindcss.com/3.3.5`) to ensure stability and reduce the risk of unexpected changes or malicious injections. For production, consider self-hosting or using a build process.	LLM	SKILL.md:106
MEDIUM	Unpinned Lucide Icons CDN dependency The skill recommends importing Lucide Icons via an unpinned CDN link (`https://unpkg.com/lucide@latest/dist/umd/lucide.min.js`). The `@latest` tag means the content served can change without notice, introducing a supply chain risk. If the CDN or the upstream project is compromised, or if a new version introduces breaking changes, it could lead to unexpected behavior or the injection of malicious code into applications generated using this skill. Pin the Lucide Icons CDN dependency to a specific version (e.g., `https://unpkg.com/lucide@0.292.0/dist/umd/lucide.min.js`) to ensure stability and reduce the risk of unexpected changes or malicious injections. For production, consider self-hosting or using a build process.	LLM	SKILL.md:115

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/15ed8c0723809bb3.svg)](https://skillshield.io/report/15ed8c0723809bb3)