Skillv1.0.0

ClawScan security

Django Project Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 19, 2026, 2:14 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (bootstrapping Django/DRF projects); it modifies local files and runs package installs but requests no unrelated credentials or privileged persistence.
Guidance: This skill appears to do what it says: create Django or DRF projects and install packages. Before running it, review the included script and run it in a disposable directory or inside a fresh virtual environment because it will: (1) create files and directories under the path you provide, (2) call pip to download and install packages from PyPI, and (3) run manage.py migrate which may modify a local database. If you do not trust the author or you want to be extra cautious, inspect the script line-by-line, run it in an isolated container, or manually perform the steps instead of running the script as-is.

Purpose & Capability: okName/description (Django project bootstrap) align with the provided Python script and SKILL.md. The script creates projects/apps, writes Django files, and installs Django/DRF packages — all expected for this purpose.
Instruction Scope: noteSKILL.md and script direct the agent/user to create a venv, run pip installs, startproject/startapp, write urls/views/models, and run manage.py migrate. These actions are in-scope, but they modify local filesystem and run package installs and migrations, so they should be run in an appropriate directory/virtual environment.
Install Mechanism: okNo install spec (instruction-only) and only a single code file included. The script invokes pip to install packages from PyPI at runtime; this is expected for dependency provisioning but means external code will be fetched when the script runs.
Credentials: okNo environment variables, credentials, or config paths are requested. The script does not attempt to read or exfiltrate unrelated secrets. It performs local operations and network fetches limited to package installation (pip).
Persistence & Privilege: okThe skill does not request always:true, does not persist itself into agent configuration, and does not modify other skills or system-wide settings. It only writes files within the chosen project directory.