Init
PassAudited by ClawScan on May 10, 2026.
Overview
This onboarding skill asks questions and writes local profile/config files; review the persistent files and optional Solograph check, but the artifacts do not show hidden exfiltration or destructive behavior.
This skill appears safe for its stated purpose. Before installing or invoking it, be aware that it will create or update ~/.solo-factory/defaults.yaml and .solo files in your project, and those files will guide other Solo Factory skills later. Review generated content, do not store secrets in these files, and skip the optional Solograph check if you do not want uvx or package-manager execution.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create or overwrite local configuration/profile files under ~/.solo-factory and the selected project directory.
The skill authorizes shell and file-modification tools so the agent can create and update onboarding files.
allowed-tools: Read, Grep, Bash, Glob, Write, Edit, AskUserQuestion
Confirm the intended project path before running and review the generated files, especially when re-running the skill.
A Solograph availability check could run external package code on the local machine, even though it is disclosed as optional.
The optional Solograph check may execute an external Python package through uvx if that path is chosen.
Try running `uvx solograph --help` or check if MCP tools are available
Only allow the Solograph check if you want it; otherwise ask the agent to skip Step 10 or verify Solograph manually.
If local templates have been modified or are untrusted, they could affect the generated profile and stack files.
Generated content may be based on local template files that are not included in the provided artifact set.
look for `templates/` relative to this SKILL.md (traverse up to find `solo-factory/templates/`)
Use templates from a trusted Solo Factory checkout and inspect the generated .solo files before relying on them.
Personal preferences, project defaults, and edited profile text can influence future agent actions across related skills.
The generated profile files become persistent context used by later skills such as /validate, /setup, /stream, and /scaffold.
Other skills read from .solo/ automatically.
Keep ~/.solo-factory and .solo contents accurate and trusted, avoid putting secrets in them, and review changes before committing them to a repository.