ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Scaffold

v1.0.4

AI agent skill scaffolding CLI. Create skills for OpenClaw, Moltbot, Claude, Cursor, ChatGPT, Copilot instantly. Vibe-coding ready. MCP compatible.

2· 3.8k·21 current·22 all-time
byNext Frontier AI@nextfrontierbuilds
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (skill scaffolder) match the included files and code: the package provides a CLI that creates SKILL.md, README.md, scripts/, and optional bin/ CLI files. No unrelated capabilities, credentials, or binaries are requested.
Instruction Scope
The SKILL.md and README instruct how to use the CLI and how to edit/publish generated skills. There are no instructions to read unrelated system files, exfiltrate data, or access secrets. Runtime behavior is limited to generating files and directories.
Install Mechanism
No install spec in the registry metadata; the package is a normal npm-style CLI with source in bin/ and package.json. There are no remote downloads, URL shorteners, or archive extraction steps in the code. The installer risk is low.
Credentials
The skill declares no required environment variables, credentials, or config paths. The code uses process.cwd() and provided flags; it does not read secrets or other environment variables beyond defaults.
Persistence & Privilege
No elevated persistence requested: always is false, and the skill does not attempt to modify other skills or system-wide agent settings. It only writes files into the target output directory supplied by the user.
Assessment
This package is internally coherent and appears benign, but before installing globally you should: (1) verify the npm package and repository authorship (registry metadata showed no homepage but package.json points to a GitHub repo), (2) inspect the CLI source (bin/skill-scaffold.js) yourself — it writes files and sets an executable bit for generated CLI files, (3) avoid running it into directories that contain important data (the tool aborts if the target dir already exists, but always review output), and (4) prefer running it in a sandbox or local project folder first. If you plan to publish generated skills, review generated SKILL.md and any code for secrets or external endpoints before publishing.

Like a lobster shell, security has layers — review code before you run it.

aivk97fbf6p718a8cs9z5wx0sw5jh80c3wdclawdbotvk97fbf6p718a8cs9z5wx0sw5jh80c3wdclivk97fbf6p718a8cs9z5wx0sw5jh80c3wdgeneratorvk97fbf6p718a8cs9z5wx0sw5jh80c3wdlatestvk97ep1c2sa1rzcbqj8c1q8w4ph80yqd1openclawvk97fbf6p718a8cs9z5wx0sw5jh80c3wdscaffoldvk97fbf6p718a8cs9z5wx0sw5jh80c3wdskillvk97fbf6p718a8cs9z5wx0sw5jh80c3wd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments