ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Scaffold Project

v1.0.0

Creates a new project structure with frontend, backend, database, integrations, marketing folders, and a README.md inside mission-control workspace.

0· 372·0 current·0 all-time
by@scotteverduim

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for scotteverduim/scaffold-project.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Scaffold Project" (scotteverduim/scaffold-project) from ClawHub.
Skill page: https://clawhub.ai/scotteverduim/scaffold-project
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install scaffold-project

ClawHub CLI

Package manager switcher

npx clawhub@latest install scaffold-project
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description say 'create scaffold in mission-control workspace' and no credentials/install are requested, which is appropriate — but the code hardcodes the target directory as '/Users/ton/.openclaw-workspace/projects/mission-control' instead of using the documented allowed path (~/.openclaw-workspace/...). The hardcoded '/Users/ton' makes the skill user-specific and non-portable; that mismatch is not justified by the description.
!
Instruction Scope
SKILL.md describes checks (existence), creating folders and a README, and returning a list of created files. The shipped index.js does not perform an existence check/conditional behavior, does not return a list, and instead always mkdirs. Worse, the 'structure' array includes 'README.md' which the code treats as a directory (mkdirSync) and then later attempts to write a README.md file to the same path — this will cause errors (EISDIR or write failures) and contradicts the documented behavior.
Install Mechanism
No install spec or external downloads; the skill is instruction/code-only and relies only on Node.js fs/path. There are no network fetches or remote installers to review.
Credentials
No env vars or credentials are requested (appropriate). The code touches the filesystem under a hardcoded absolute home path, but does not attempt to read environment variables or secrets. The hardcoded user path is unusual but not evidence of secret exfiltration.
Persistence & Privilege
The skill does not request elevated platform privileges and always:false. It writes files under a user directory (expected for a scaffolding tool) and does not modify other skills or global config.
What to consider before installing
This skill intends to scaffold a project, but the shipped code is buggy and user-specific. Before installing or running: (1) review and modify index.js to use a portable home directory (e.g., require('os').homedir() or process.env.HOME) instead of '/Users/ton'; (2) remove 'README.md' from the directory-creation loop and create files separately so you don't try to mkdir a filename; (3) add checks to avoid clobbering existing files and return the list of created files as documented; (4) test in a safe/sandbox directory first to confirm behavior; and (5) if you don't want writes on your machine, do not enable autonomous invocation or run the code locally without inspection. The issues look like sloppy/unfinished code rather than intentional malice, but treat it as untrusted until corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ykpftwq11z2n39dep7z9658295pc
372downloads
0stars
1versions
Updated 2h ago
v1.0.0
MIT-0
@scotteverduim
latest
Download

scaffold-project

Create a new project structure inside the mission-control workspace.

Allowed path

~/.openclaw-workspace/projects/mission-control

What this skill does

  • Creates folders
  • Creates base files
  • Initializes project structure

Default structure

When called, create:

projects/mission-control/ ├─ frontend/ ├─ backend/ ├─ database/ ├─ integrations/ ├─ marketing/ └─ README.md

Instructions

  1. Check if the folder exists
  2. If not, create the folder structure
  3. Create README.md describing the project
  4. Return a list of created files

Comments

Loading comments...