Sovereign project-setup-wizard
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts describe a normal project scaffolder that writes files and may read your Git identity, with minor metadata disclosure gaps but no evidence of hidden or malicious behavior.
This appears safe for normal project scaffolding. Before installing, be aware that it runs a local bash script, creates persistent files in the chosen output directory, may initialize Git by default, and may copy your Git name/email into generated project files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong project name or output directory, it can create files in an unintended local location.
The script creates directories and files at a path derived from user-provided options. This is expected for a project scaffolder, but it is still a persistent local file operation.
PROJECT_DIR="$OUTPUT_DIR/$PROJECT_NAME" ... mkdir -p "$dir" ... echo "$content" > "$filepath"
Use --dry-run first for unfamiliar templates, choose the output directory carefully, and review generated files before committing or using them.
A user may not realize from the registry summary alone that installing the skill means running a local bash script that expects bash and git.
The registry summary under-declares the local executable script and tool expectations that are described elsewhere in the artifacts.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill. ... Code file presence: scripts/setup.sh
Treat it as a local script-based skill, ensure bash/git are available, and inspect the script if your environment has stricter installation controls.
Your Git-configured name or email may be copied into generated project metadata and could later become public if you publish the project.
The script reads local Git profile identity to prefill author fields. This is purpose-aligned, but it may place personal name/email data into generated project files.
AUTHOR_NAME=$(git config user.name 2>/dev/null || echo "") ... AUTHOR_EMAIL=$(git config user.email 2>/dev/null || echo "")
Review or override the author name and email prompts, especially before publishing the generated scaffold.