Django Project Creator
Security checks across malware telemetry and agentic risk
Overview
The skill matches its Django-project setup purpose, but the included script runs local shell and package-install commands in ways that can affect the user’s machine beyond a safe scaffold operation.
Review and patch the script before running it. If you proceed, run it in a clean container or disposable virtual environment, use safe alphanumeric project/app/model names, pin dependencies, and do not assume the generated Django project is production-ready without a separate security review.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or malicious project/app name could cause the script to run arbitrary commands on the user’s machine.
User-supplied names are inserted into os.system shell commands without quoting or validation, so shell metacharacters in a project or app name could execute unintended local commands.
projectName = input(...)
os.system(f'django-admin startproject {projectName}')
...
os.system(f'django-admin startapp {appName}')Only run this in a disposable or trusted directory, use simple alphanumeric names, and replace os.system calls with safe subprocess calls using argument arrays and strict input validation.
Packages may be installed into the user’s current or global Python environment instead of the intended isolated environment, potentially affecting other projects.
Activating a virtual environment inside os.system affects only that shell process; later pip commands are not explicitly run through the virtual environment.
os.system('source .venv/bin/activate')
run_command('pip install django')Use the virtual environment’s explicit interpreter and pip path, such as .venv/bin/python -m pip, and show the user exactly which environment will be modified before installing packages.
The exact installed package versions can change over time, affecting reproducibility and exposing the setup to normal package-supply-chain risk.
The dependency installs are purpose-aligned, but they are unpinned and there is no lockfile or install spec in the artifacts.
run_command('pip install django')
run_command('pip install djangorestframework')
run_command('pip install drf-nested-routers')
run_command('pip install django-cors-headers')Pin dependency versions, use a lockfile, and install inside a controlled virtual environment or container.
A user might over-trust the generated project and deploy it without the normal Django production security review.
The skill claims production-ready settings, while the included script appears to generate basic Django scaffolding and placeholders rather than a fully reviewed production configuration.
Default development and production-ready settings
Treat the output as a starter scaffold only, and review Django settings, secrets, DEBUG, ALLOWED_HOSTS, CORS, database configuration, and deployment security before production use.