ClawHub

Django Project Creator

Security checks across malware telemetry and agentic risk

Overview

The skill fits a Django project bootstrapper, but its script runs shell commands with unvalidated user-provided names, which could execute unintended local commands.

Review this skill carefully before running it. If you use it, run it only in a disposable directory or container, avoid pasting untrusted project/app/model names, and verify that dependencies install into the intended virtual environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI05: Unexpected Code Execution
High
What this means

A malicious or accidentally unsafe project/app/model name could cause arbitrary local commands to run, potentially modifying or deleting files outside the intended project.

Why it was flagged

User-controlled names are interpolated directly into os.system shell commands. Shell metacharacters in these inputs could run commands beyond Django project creation.

Skill content
projectName = input(...)
os.system(f'django-admin startproject {projectName}')
...
appName = input(...)
os.system(f'django-admin startapp {appName}')
Recommendation

Do not run this with untrusted input. The publisher should validate names with a strict safe pattern and replace os.system calls with subprocess.run using argument lists.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

Packages may be installed into the wrong Python environment, changing the user's system or active environment instead of only the new project environment.

Why it was flagged

Activating a virtual environment through os.system does not persist for later subprocess calls, so pip and django-admin may run in the user's ambient environment rather than the intended isolated environment.

Skill content
os.system('source .venv/bin/activate')
run_command('pip install django')
def run_command(command):
    result = subprocess.run(command.split(), ...)
Recommendation

Invoke the virtual environment's explicit executables, such as .venv/bin/python -m pip, and clearly declare required binaries and operating-system assumptions.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The installed package versions can change over time and will come from the user's configured package index.

Why it was flagged

Installing Django-related packages is expected for this skill, but the packages are unpinned and there is no lockfile or install spec in the provided artifacts.

Skill content
run_command('pip install django')
run_command('pip install djangorestframework')
run_command('pip install drf-nested-routers')
run_command('pip install django-cors-headers')
Recommendation

Use a pinned requirements file or lockfile and run installation only in a clearly selected virtual environment.