Neckr0ik Code Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward local code scaffolding helper, with expected file-generation behavior but some install and capability-description details worth checking.
Use this as a normal local code generator: run it only in intended project directories, review generated files before executing them, and verify the actual CLI installation path because the artifacts do not include an install spec.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may create or overwrite local project files where it is pointed.
The generator creates directories and writes files under a caller-selected output/name path. This is expected for a scaffolding tool, but it can replace files in the chosen project directory.
project_dir = self.output_dir / name project_dir.mkdir(parents=True, exist_ok=True) (project_dir / "README.md").write_text(...)
Use an empty or dedicated output directory, avoid protected/system paths, and review generated files before committing or running them.
A user may need to manually determine how the advertised command is installed or run.
The artifacts document CLI-style use but do not provide an install mechanism tying that command to the included script. This is not suspicious by itself, but users should verify invocation and provenance.
No install spec — this is an instruction-only skill.
Confirm the exact entry point before use, and inspect any local wrapper or package installation used to expose the CLI.
The skill may not generate the advertised language-specific scaffolds or code.
The implementation shown is narrower than the SKILL.md claims of broad Python, TypeScript, Go, Rust, and Node.js support. This looks like overstatement or incomplete implementation rather than malicious behavior.
if language != "python":
print(f"Warning: Only Python scaffolding is implemented. Creating Python project.")Treat the generated output as a draft, verify supported languages before relying on it, and review generated code manually.