Skill Scaffold
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package globally makes the CLI available on the local system and should only be done from a trusted package source and version.
The skill asks users to globally install and run an npm CLI package. That is normal for this tool's purpose, but global CLI installs are a provenance point users should verify.
npm install -g skill-scaffold
Verify the npm package identity and version before installing globally, and prefer a pinned or reviewed source when possible.
Running the CLI will create persistent files in the chosen location.
The CLI writes scaffold files into a user-selected directory. This is expected for a scaffolding tool and is bounded by the validated skill name and an existing-directory check.
const baseDir = getFlag('--dir') || process.cwd(); ... fs.mkdirSync(skillDir, { recursive: true }); fs.writeFileSync(path.join(skillDir, 'SKILL.md'), t.skillMd());Run it from the intended workspace or pass an explicit --dir value, and review the created files before publishing or installing them as a skill.
If untrusted text is used as a description or author value, it could become persistent agent-readable content in the generated skill.
User-provided description text is interpolated into generated SKILL.md files, which future agents may read as instructions or context.
const description = getFlag('--description') || `${skillName} skill for AI agents`; ... description: ${description}Do not pass untrusted prompt-like text into scaffold metadata, and manually review generated SKILL.md files before use or publication.