Stack Scaffold
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent project-scaffolding skill; its main risks are the expected ability to create files, run npm/npx/git commands, and reference cloud service credentials for the generated app.
This skill is reasonable to use for creating a new full-stack project, but run it only in a confirmed new or empty directory. Review the npx/npm/git commands, verify the package source and versions, and do not add real Supabase or Firebase secrets until you have inspected the generated files and ensured .env files are ignored by git.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can create a project, install dependencies, and make an initial git commit in the chosen folder.
The skill asks the agent to create files and run local project setup/git commands. This is expected for a scaffolding skill and is bounded by confirmation and empty-directory checks.
Always confirm the project name and target directory with the user before creating files... Run `npx create-next-app@latest <project-name> ...` ... `git init && git add -A && git commit -m "chore: initial Next.js scaffold"`.
Confirm the exact target directory and review the planned commands before allowing the scaffold to run, especially if using an existing folder.
The resulting project may depend on whatever versions npm resolves at setup time.
The scaffold downloads templates and packages from npm, including use of `@latest` and unpinned dependency versions. This is normal for project scaffolding but carries ordinary package supply-chain risk.
`npx create-next-app@latest <project-name>` ... `npm install @supabase/supabase-js @supabase/ssr firebase firebase-admin zod zustand next-themes`.
Review generated package files, consider pinning versions, and use normal dependency-audit practices before deploying.
If real credentials are provided to the generated app, they can grant access to the user's Supabase/Firebase resources.
The skill declares cloud service environment variables, including a Firebase private key. These credentials are purpose-aligned for Supabase/Firebase Admin integration, and the artifacts do not show logging, hardcoding, or exfiltration.
"env": ["NEXT_PUBLIC_SUPABASE_URL", "NEXT_PUBLIC_SUPABASE_ANON_KEY", ... "FIREBASE_CLIENT_EMAIL", "FIREBASE_PRIVATE_KEY"]
Use least-privileged service accounts, keep real secrets out of git, and inspect generated environment/config files before deployment.