Senior Fullstack
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a normal full-stack scaffolding and code-audit helper, but it can read and write local project files, so users should run it only in intended workspaces and review generated code.
This skill is reasonable for scaffolding and auditing full-stack projects. Before installing or using it, review the bundled Python scripts, run them only in a chosen project folder, use simple project names, replace placeholder secrets in generated templates, and inspect generated files before running npm install or starting development servers.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run in the wrong directory or on too broad a path, the scripts could create files where the user did not intend or analyze sensitive local code.
The skill explicitly tells users to run local scripts that create project files and scan local project directories.
python scripts/project_scaffolder.py nextjs my-app --output ./projects ... python scripts/code_quality_analyzer.py /path/to/project --json --output audit.json
Run commands only in a dedicated workspace, pass explicit project paths, and review generated files and reports before using them.
Users have less external context for verifying who maintains the scripts or where updates come from.
The skill includes executable scripts but does not provide an external source or homepage for provenance validation.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Inspect the bundled scripts before running them, and prefer using the skill in a disposable or version-controlled project directory.
Unusual project names containing quotes, newlines, or code-like text could break or alter generated files if not sanitized before the generated app is run.
The scaffolder embeds the user-provided project name directly into generated source-code templates.
title: "{project_name}" ... app = FastAPI(title="{project_name}", openapi_url="/api/openapi.json")Use simple project names, avoid untrusted text as a project name, and inspect generated source before installing dependencies or starting the app.
Audit reports may reveal sensitive project structure or security issue locations, even if the visible analyzer code does not show network exfiltration.
The analyzer is designed to inspect local code and can write a report summarizing security findings.
Security vulnerabilities (hardcoded secrets, injection risks) ... Save report to file: python scripts/code_quality_analyzer.py . --output report.json
Store generated audit reports securely and avoid scanning directories that contain unrelated private material.