ClawHub

Project Scaffold

v1.0.0

Generate new projects with standardized structure, tooling, and configuration for web, API, mobile, CLI, or browser extension apps.

2· 2.1k·9 current·9 all-time
by@cmanfre7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly expects platform toolchains (node/npx/npm, Python/pip/uvicorn, Swift/Xcode, git) and network installs, but the skill metadata declares no required binaries or environment variables. A scaffolder should list the CLIs it calls; omitting them is an incoherence. Additionally the FastAPI example uses 'uv init && uv pip install fastapi uvicorn', which is not a standard command and appears to be a typo or reference to an undeclared CLI.
Instruction Scope
Instructions are focused on scaffolding and include concrete shell commands (npx create-next-app, npm install, mkdir, git init/commit). They don't ask to read arbitrary files or exfiltrate data, but they do instruct performing package installs and committing to git — actions that access the network and local repo state. The 'uv' command is ambiguous/incorrect and needs correction; otherwise the scope is appropriate for a scaffolding skill.
Install Mechanism
No install spec or code files are present (instruction-only), so there's no added install-time risk from downloads or archives being written to disk by the skill itself.
Credentials
The skill requests no environment variables and no credentials, which is proportionate. It does mention .env in the .gitignore and references config.py for settings, but doesn't request secrets. Users should still be aware the scaffolded projects may include instructions to use env vars and will likely cause developers to create or store secrets locally.
Persistence & Privilege
The skill is not always-enabled and doesn't request persistent privileges. Autonomous invocation is allowed by platform default but not combined with any other high-risk factor in this package.
What to consider before installing
This skill is an instruction-only project scaffolder and has low installation risk, but there are internal inconsistencies you should resolve before using it: 1) The metadata claims no required binaries, yet the instructions call many CLIs (node/npx/npm, git, python/pip/venv, swift/Xcode). Ensure those tools exist in your environment before running any commands. 2) Fix the apparent typo 'uv init && uv pip install fastapi uvicorn' — replace with standard Python steps (for example: python -m venv .venv && source .venv/bin/activate && pip install fastapi uvicorn) or clarify what 'uv' refers to. 3) Expect network activity: npx/npm and pip will download packages — run in a network-safe sandbox/CI or review packages you allow. 4) Review generated files (package.json, pyproject/requirements, build scripts) for any unexpected postinstall hooks. 5) Because this is instruction-only, it won't itself install code, but following the commands will modify your system/repo; run them in a disposable directory or VM until you confirm the commands are correct. If the publisher can clarify required binaries and correct the FastAPI commands, the skill would be coherent and usable.

Like a lobster shell, security has layers — review code before you run it.

latestvk976k66xwz2zn4xprkc6s3hj818023q8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments