xfg-ddd-skills
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent DDD scaffolding and deployment guidance skill, but users should notice that it can run local shell/Maven commands and pull a project template from an external Maven repository.
Before installing or using this skill, be comfortable with it running a local project-generation script, downloading a Maven archetype from the listed repository, and potentially following Docker deployment commands. Confirm the target directory, review generated files, and change any sample deployment passwords before using the output beyond local testing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may execute a local script to generate files in a workspace.
The skill explicitly instructs the agent/user to run a local shell script. This is expected for project scaffolding, but it is still local command execution that users should approve.
当用户说"创建 DDD 项目"、"新建项目"、"创建项目"、"创建ddd项目"时,**必须使用 `scripts/create-ddd-project.sh` 脚本** ... `bash scripts/create-ddd-project.sh`
Run the script only after confirming the target directory and project settings.
A generated project may include files and dependencies supplied by the external Maven archetype repository.
Project generation depends on an external Maven repository and archetype. This is disclosed and central to the skill, but users are trusting that remote template source.
ARCHETYPE_REPOSITORY="https://maven.xiaofuge.cn/" ... mvn archetype:generate ... -DarchetypeArtifactId=ddd-scaffold-std-jdk17 ... -DarchetypeVersion="$ARCHETYPE_VERSION" ... -DarchetypeRepository="$ARCHETYPE_REPOSITORY"
Use a trusted archetype version, review the generated project before running it, and prefer pinned/known-good versions.
If run unattended, the script could create a default project in a default writable directory rather than the user’s intended location.
If the script is launched without an interactive terminal, it can fall back to default values and auto-confirm generation. SKILL.md tells the agent to ask first, but the script itself does not enforce that in non-interactive mode.
read_line() { if is_interactive; then read -r "$1"; fi } ... if [ -z "$selection" ]; then TARGET_DIR="${TARGET_OPTIONS[1]}" ... else confirm="y"Provide the target path and project values explicitly, and verify the command is run in an interactive or otherwise controlled way.