Django Project Creator
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Django project-creation purpose, but its script uses unvalidated user inputs in shell commands and may modify the caller's Python environment.
Install or run this only in a controlled development folder or sandbox. Use safe alphanumeric names for projects, apps, and models; avoid running with elevated privileges; and prefer a revised version that validates inputs, uses argument-safe subprocess calls, pins package versions, and installs dependencies explicitly inside a virtual environment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or malicious project/app name could cause unintended local commands to run as the current user.
Interactive values are interpolated directly into shell commands via os.system. Without validation or argument-safe subprocess calls, special characters in a project or app name could alter the command being run.
projectName = input(f'{color.YELLOW}Choose a name for your project: {color.END}')
os.system(f'django-admin startproject {projectName}')
appName = input(f'{color.YELLOW}Choose a name for your app: {color.END}')
os.system(f'django-admin startapp {appName}')Use simple alphanumeric project and app names, run only in a disposable development directory, and update the script to use subprocess.run([...]) with validated identifiers instead of shell-formatted strings.
Unexpected Python code or shell behavior could be introduced into the generated project and then exercised during migration setup.
Model names supplied by the user are written into Python source and then Django management commands are run. If model input is not strictly validated, generated code or shell metacharacters could have unintended effects.
modulsName = input(f'{color.GREEN}give me all the models ...')
os.system(f'''echo "class {module}(models.Model): ..." >> models.py''')
run_command(f'python3 manage.py makemigrations')
run_command(f'python3 manage.py migrate')Validate model names as Python identifiers, avoid shell echo for writing code, and require user review before running migrations.
Django packages may be installed into the current/global Python environment instead of an isolated project environment, changing the user's development setup.
The script creates a virtual environment only if the user agrees, then activates it in a separate shell call before running pip through a separate subprocess. The artifacts do not show that package installs are reliably scoped to the new virtualenv.
os.system(f'python3 -m venv {path}.venv')
os.system('source .venv/bin/activate')
run_command('pip install django')Create and use the virtualenv explicitly, such as invoking its python/pip by full path, and clearly tell the user where dependencies will be installed.
The installed package versions may vary over time, and the setup depends on external package availability and integrity.
The script downloads unpinned packages at runtime. This is expected for a Django scaffold generator, but it is less reproducible and depends on the live package index.
run_command('pip install django')
run_command('pip install djangorestframework')
run_command('pip install drf-nested-routers')
run_command('pip install django-cors-headers')Pin dependency versions, provide a requirements or lock file, and document the expected package source.