Template Tool
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: template-tool Version: 1.0.0 The bundle provides project scaffolding and template processing utilities, but contains a path traversal vulnerability in 'scripts/template.py'. The script uses the user-provided 'name' and 'output' arguments to construct file paths without sanitizing for directory traversal sequences (e.g., '..') or absolute paths, allowing for arbitrary file writes. Additionally, there is a discrepancy between the CLI usage described in 'SKILL.md' and the actual arguments accepted by the scripts.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user invokes the scaffold generator with an unsafe name or output path, it could create or replace local project files outside the expected location.
The user-provided name is only partially sanitized before being used in output filenames, and files are opened in write mode. Path separators or '..' in the name could cause writes outside the intended directory, and existing files could be overwritten.
safe_name = name.replace(' ', '_').replace('-', '_')
filename = filename.format(name=safe_name, Name=class_name)
file_path = output_path / filename
with open(file_path, 'w') as f:Only run it in a disposable or clearly chosen output directory. The maintainer should reject path separators and '..' in generated filenames and avoid overwriting existing files without confirmation.
Users may be unsure which code will run, and the command behavior may not match the documentation.
The artifact set also contains executable scripts and SKILL.md documents a template-tool command, but no install or entrypoint mapping explains which script backs that command.
No install spec — this is an instruction-only skill.
Before installing or invoking, confirm the intended entrypoint and review the included scripts. The publisher should add an explicit install/entrypoint specification or remove unused scripts.