ClawHub
Back to skill
v2.1.1

Senior Fullstack

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:26 AM.

Analysis

This skill appears purpose-aligned for scaffolding and auditing full-stack projects, but users should review the bundled scripts, paths, generated dependencies, and placeholder secrets before running them.

GuidanceThis looks reasonable for a development helper. Before using it, review the bundled Python scripts, run them only in a dedicated project folder, use simple safe project names, inspect generated package and environment files, and replace any placeholder secrets before deploying anything.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
python scripts/project_scaffolder.py nextjs my-app --output ./projects

The scaffolder can create project files in a user-selected output directory. This is aligned with the skill purpose, but an unintended path could create files somewhere the user did not mean to modify.

User impactIf run with the wrong output path, the skill may create a project tree in an unintended location.
RecommendationRun scaffolding only in a dedicated workspace and review the output directory before executing the command.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
python scripts/code_quality_analyzer.py /path/to/project --json --output audit.json

The analyzer is intended to read a selected project directory and write a report. This is purpose-aligned, but it may inspect sensitive project files such as configuration or environment examples if they are inside the chosen path.

User impactThe generated audit report may reveal sensitive file paths or security findings about the selected codebase.
RecommendationPoint the analyzer only at codebases you intend to inspect, and review reports before sharing them.
Unexpected Code Execution
SeverityLowConfidenceMediumStatusNote
scripts/project_scaffolder.py
title: "{project_name}",

The scaffolder interpolates the requested project name into generated source files. This is expected for scaffolding, but unusual project names containing quotes or code-like characters could break or alter generated source.

User impactA malformed or adversarial project name could produce broken generated code that behaves unexpectedly when later run.
RecommendationUse simple project names with letters, numbers, dashes, or underscores, and review generated source before running it.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: scripts/code_quality_analyzer.py, scripts/project_scaffolder.py

The registry metadata does not identify a source repository or homepage, while the skill includes runnable helper scripts. There is no remote installer shown, but provenance is limited.

User impactUsers have less external provenance information for deciding whether to trust the bundled scripts.
RecommendationReview the included Python scripts before running them, especially in important or sensitive repositories.