ClawHub

Django Project Creator

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill appears to create Django projects as advertised, but its script builds shell commands from user-entered paths and names, which can accidentally or deliberately run unintended commands.

Review or sandbox this skill before running it. It is aligned with Django project creation, but because it passes typed paths and names into shell commands, use only trusted simple inputs and avoid running it in sensitive directories. Consider fixing the script to validate identifiers and use safe subprocess calls before relying on it.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High
ASI05: Unexpected Code Execution
What this means

Running the script with a malicious or malformed input could execute unintended local commands or write files outside the expected project setup.

Why it was flagged

User-provided values are interpolated into shell commands without validation or quoting, creating a command-injection risk if a path, project name, or app name contains shell metacharacters.

Skill content
path = input(...)
os.system(f'python3 -m venv {path}.venv')
os.system(f'django-admin startproject {projectName}')
os.system(f'django-admin startapp {appName}')
Recommendation

Only run it in a trusted local environment, use simple safe names and paths, and preferably update the script to use subprocess with argument lists plus strict validation for paths, project names, app names, and model names.

Low
ASI04: Agentic Supply Chain Vulnerabilities
What this means

The generated environment may change over time depending on the latest available package versions, and package-install behavior is not captured in an install specification.

Why it was flagged

The script downloads unpinned packages at runtime. This is purpose-aligned for a Django scaffolding tool, but users should understand it pulls current package versions from the package index rather than a pinned, reviewed dependency set.

Skill content
run_command('pip install django')
run_command('pip install djangorestframework')
run_command('pip install drf-nested-routers')
run_command('pip install django-cors-headers')
Recommendation

Pin dependency versions or review the packages before installation, especially for production projects.