ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Scaffold Project

Creates a new project structure with frontend, backend, database, integrations, marketing folders, and a README.md inside mission-control workspace.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 191 · 0 current installs · 0 all-time installs
by@ScottEverduim
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description say 'create scaffold in mission-control workspace' and no credentials/install are requested, which is appropriate — but the code hardcodes the target directory as '/Users/ton/.openclaw-workspace/projects/mission-control' instead of using the documented allowed path (~/.openclaw-workspace/...). The hardcoded '/Users/ton' makes the skill user-specific and non-portable; that mismatch is not justified by the description.
!
Instruction Scope
SKILL.md describes checks (existence), creating folders and a README, and returning a list of created files. The shipped index.js does not perform an existence check/conditional behavior, does not return a list, and instead always mkdirs. Worse, the 'structure' array includes 'README.md' which the code treats as a directory (mkdirSync) and then later attempts to write a README.md file to the same path — this will cause errors (EISDIR or write failures) and contradicts the documented behavior.
Install Mechanism
No install spec or external downloads; the skill is instruction/code-only and relies only on Node.js fs/path. There are no network fetches or remote installers to review.
Credentials
No env vars or credentials are requested (appropriate). The code touches the filesystem under a hardcoded absolute home path, but does not attempt to read environment variables or secrets. The hardcoded user path is unusual but not evidence of secret exfiltration.
Persistence & Privilege
The skill does not request elevated platform privileges and always:false. It writes files under a user directory (expected for a scaffolding tool) and does not modify other skills or global config.
What to consider before installing
This skill intends to scaffold a project, but the shipped code is buggy and user-specific. Before installing or running: (1) review and modify index.js to use a portable home directory (e.g., require('os').homedir() or process.env.HOME) instead of '/Users/ton'; (2) remove 'README.md' from the directory-creation loop and create files separately so you don't try to mkdir a filename; (3) add checks to avoid clobbering existing files and return the list of created files as documented; (4) test in a safe/sandbox directory first to confirm behavior; and (5) if you don't want writes on your machine, do not enable autonomous invocation or run the code locally without inspection. The issues look like sloppy/unfinished code rather than intentional malice, but treat it as untrusted until corrected.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971ykpftwq11z2n39dep7z9658295pc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

scaffold-project

Create a new project structure inside the mission-control workspace.

Allowed path

~/.openclaw-workspace/projects/mission-control

What this skill does

  • Creates folders
  • Creates base files
  • Initializes project structure

Default structure

When called, create:

projects/mission-control/ ├─ frontend/ ├─ backend/ ├─ database/ ├─ integrations/ ├─ marketing/ └─ README.md

Instructions

  1. Check if the folder exists
  2. If not, create the folder structure
  3. Create README.md describing the project
  4. Return a list of created files

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…