Skill Scaffold
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward local scaffolding CLI that creates template skill files, with expected npm installation and filesystem writes.
This skill looks safe for its stated purpose. Before installing, verify the npm package source; when using it, choose the output directory deliberately and review the generated SKILL.md and README.md before publishing or enabling the new skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package globally makes the CLI available on the local system and should only be done from a trusted package source and version.
The skill asks users to globally install and run an npm CLI package. That is normal for this tool's purpose, but global CLI installs are a provenance point users should verify.
npm install -g skill-scaffold
Verify the npm package identity and version before installing globally, and prefer a pinned or reviewed source when possible.
Running the CLI will create persistent files in the chosen location.
The CLI writes scaffold files into a user-selected directory. This is expected for a scaffolding tool and is bounded by the validated skill name and an existing-directory check.
const baseDir = getFlag('--dir') || process.cwd(); ... fs.mkdirSync(skillDir, { recursive: true }); fs.writeFileSync(path.join(skillDir, 'SKILL.md'), t.skillMd());Run it from the intended workspace or pass an explicit --dir value, and review the created files before publishing or installing them as a skill.
If untrusted text is used as a description or author value, it could become persistent agent-readable content in the generated skill.
User-provided description text is interpolated into generated SKILL.md files, which future agents may read as instructions or context.
const description = getFlag('--description') || `${skillName} skill for AI agents`; ... description: ${description}Do not pass untrusted prompt-like text into scaffold metadata, and manually review generated SKILL.md files before use or publication.