Wip Repo Init
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on the wrong path, especially with --yes, it can reorganize an existing ai/ folder in that repository.
The CLI acts on a user-supplied or current directory, can skip confirmation with --yes, and renames an existing ai/ folder before scaffolding the new structure.
const targetRepo = resolve(process.argv[2] || process.cwd()); ... const forceYes = process.argv.includes('--yes') || process.argv.includes('-y'); ... renameSync(aiDir, tmpOld);Run with --dry-run first, verify the target path, and avoid --yes unless you are sure the repo is correct and backed up or under version control.
Internal notes, plans, logs, or discarded drafts placed there may remain in the repo and be read by future humans or agents.
The generated ai/ folder is intended to become persistent project context and encourages retaining rather than deleting files.
Plans, notes, ideas, dev updates, todos. Everything that isn't code lives here. ... **Never delete anything.** Move to `_trash/`
Do not store secrets or sensitive conversation logs there unless the repo and retention policy are appropriate; periodically review archived _trash content.
A user might incorrectly assume the ai/ folder is automatically excluded from public repos or deployments.
The template includes privacy/publishing wording, but the provided scaffolder only creates local files and does not itself enforce repo privacy or publication exclusions.
This folder only exists in `-private` repos. It never ships to public.
Verify your repo privacy, .gitignore, and deployment/publishing rules separately before putting private material in ai/.