ClawHub

Stack Scaffold

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

The agent can create a project, install dependencies, and make an initial git commit in the chosen folder.

Why it was flagged

The skill asks the agent to create files and run local project setup/git commands. This is expected for a scaffolding skill and is bounded by confirmation and empty-directory checks.

Skill content
Always confirm the project name and target directory with the user before creating files... Run `npx create-next-app@latest <project-name> ...` ... `git init && git add -A && git commit -m "chore: initial Next.js scaffold"`.
Recommendation

Confirm the exact target directory and review the planned commands before allowing the scaffold to run, especially if using an existing folder.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

The resulting project may depend on whatever versions npm resolves at setup time.

Why it was flagged

The scaffold downloads templates and packages from npm, including use of `@latest` and unpinned dependency versions. This is normal for project scaffolding but carries ordinary package supply-chain risk.

Skill content
`npx create-next-app@latest <project-name>` ... `npm install @supabase/supabase-js @supabase/ssr firebase firebase-admin zod zustand next-themes`.
Recommendation

Review generated package files, consider pinning versions, and use normal dependency-audit practices before deploying.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

If real credentials are provided to the generated app, they can grant access to the user's Supabase/Firebase resources.

Why it was flagged

The skill declares cloud service environment variables, including a Firebase private key. These credentials are purpose-aligned for Supabase/Firebase Admin integration, and the artifacts do not show logging, hardcoding, or exfiltration.

Skill content
"env": ["NEXT_PUBLIC_SUPABASE_URL", "NEXT_PUBLIC_SUPABASE_ANON_KEY", ... "FIREBASE_CLIENT_EMAIL", "FIREBASE_PRIVATE_KEY"]
Recommendation

Use least-privileged service accounts, keep real secrets out of git, and inspect generated environment/config files before deployment.