Scaffold
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s scaffolding purpose is clear, but it may read existing projects and push a new repository to GitHub without the provided artifacts clearly showing explicit publish-scope approval.
Before installing, confirm that you want this skill to read selected sibling projects and that GitHub publishing is opt-in or separately confirmed. Verify the GitHub account, organization, repo visibility, and remote URL before allowing any push.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal request to start a project could result in code being pushed to a GitHub account or organization before the user has explicitly reviewed the publish target and visibility.
Publishing to GitHub is a high-impact account mutation. The provided confirmation text is not clearly scoped to repo creation, org/remote selection, visibility, or the final push, even though broad project-creation phrases can trigger the skill.
description: Generate complete project ... git repo, and GitHub push. Use when user says "scaffold project", "create new project", "start new app"... 6. **Show plan + get confirmation** ... Confirm or adjust before creating files
Require a separate explicit confirmation before creating or pushing a GitHub repository, showing the account/org, repo name, remote URL, branch, visibility, and whether the push is optional.
The skill may act under the user’s existing GitHub identity, which could affect the wrong account or organization if the environment is configured unexpectedly.
The registry credential contract does not declare GitHub authentication requirements, while the SKILL.md description says the workflow includes a GitHub push. This suggests it may rely on whatever GitHub credentials are already available in the environment.
Required env vars: none ... Primary credential: none
Document the expected GitHub authentication method and ask the user to confirm the account and organization before any GitHub operation.
Private project structure or implementation patterns could influence the generated scaffold, and outdated or unsafe patterns from older projects could be carried forward.
The skill retrieves context from existing projects to influence generated output. This is disclosed and purpose-aligned, but it can expose or reuse private code patterns and depends on the quality of retrieved context.
Study existing projects via SoloGraph (learn from your own codebase — critically)... use `project_info()` to list active projects... `project_code_search(query="<pattern>", project="<sibling>")`... Limit to 2-3 sibling projects
Let users approve which sibling projects may be consulted, avoid copying proprietary code verbatim, and keep the stated 2-3 project limit.
Future runs may reuse stored organization, Apple team, GitHub org, or project-directory defaults.
The skill creates persistent configuration in the user’s home directory. This is disclosed and limited to org/project defaults rather than hidden background behavior.
Create `~/.solo-factory/defaults.yaml` with answers for future runs
Tell users where the defaults file is stored and how to review, edit, or delete it.