Build beautiful interactive Node.js command-line apps with @clack/prompts.
PassAudited by ClawScan on May 6, 2026.
Overview
This instruction-only skill is a coherent @clack/prompts reference; the only notable issues are normal npm dependency provenance and care needed if using its password-prompt examples.
This looks safe as documentation-only guidance for @clack/prompts. Before using it in a project, verify the npm dependency and be careful with any generated CLI code that prompts for passwords, tokens, file paths, or other sensitive input.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the examples may add third-party code to a project via npm.
The skill tells users how to add an external npm dependency. This is central to the stated purpose and user-directed, but any npm package install has normal third-party package provenance risk.
npm install @clack/prompts
Verify the npm package, use a lockfile or pinned version where appropriate, and follow normal dependency review practices.
If you ask the agent to build a CLI that collects passwords or tokens, the generated app could mishandle secrets if it logs, stores, or transmits them unsafely.
The API reference documents masked secret input. This is expected for an interactive prompt library, and there is no evidence that the skill itself collects, stores, or sends secrets.
const secret = await password({
message: 'Set a password.',
mask: '*',When using password prompts, ensure generated code does not print secrets, stores them only with clear user consent, and uses secure storage or transmission practices.