Template Tool
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a templating purpose, but one included script can write or overwrite local files with weak path controls.
Review the scripts before use, run the tool only in a controlled directory, and avoid giving it path-like names or sensitive output locations. There is no evidence of credential theft or network exfiltration, but the file-writing behavior needs care.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user invokes the scaffold generator with an unsafe name or output path, it could create or replace local project files outside the expected location.
The user-provided name is only partially sanitized before being used in output filenames, and files are opened in write mode. Path separators or '..' in the name could cause writes outside the intended directory, and existing files could be overwritten.
safe_name = name.replace(' ', '_').replace('-', '_')
filename = filename.format(name=safe_name, Name=class_name)
file_path = output_path / filename
with open(file_path, 'w') as f:Only run it in a disposable or clearly chosen output directory. The maintainer should reject path separators and '..' in generated filenames and avoid overwriting existing files without confirmation.
Users may be unsure which code will run, and the command behavior may not match the documentation.
The artifact set also contains executable scripts and SKILL.md documents a template-tool command, but no install or entrypoint mapping explains which script backs that command.
No install spec — this is an instruction-only skill.
Before installing or invoking, confirm the intended entrypoint and review the included scripts. The publisher should add an explicit install/entrypoint specification or remove unused scripts.