ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CLI Scaffold Generator

v1.0.0

生成专业 CLI 脚手架,支持 Commander.js, yargs, oclif 等主流 CLI 框架,一键生成完整项目结构。

0· 364·2 current·2 all-time
by@sunshine-del-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The README/description claims support for multiple CLI frameworks (commander, yargs, oclif, ink) and flag-style invocation (--framework, --description). The included cli-scaffold-generator.sh implements only a simple positional-argument generator that always emits a Commander-based template and always lists 'commander' and 'chalk' in dependencies regardless of chosen framework. That mismatch between claimed capabilities and actual code is inconsistent with the stated purpose.
Instruction Scope
SKILL.md contains only innocuous usage examples and no requests for secrets or system paths. The provided shell script creates files and sets an executable bit in the current directory (expected for a scaffold generator). It does not access network endpoints or environment variables. However, SKILL.md shows flag-style usage that the script does not implement (positional args only), which is misleading.
Install Mechanism
No install spec is present and the skill is 'instruction-only' with one helper shell script. Nothing is downloaded or extracted from external URLs, so there is no extra install-time risk.
Credentials
No credentials, config paths, or environment variables are requested. The script does not attempt to read unrelated files or secrets.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges. It writes only to a subdirectory named by the provided project name (normal for a scaffold generator).
What to consider before installing
This package is inconsistent rather than obviously malicious, but you should not run it blindly. Specific points to check before using: (1) inspect cli-scaffold-generator.sh — it always generates a Commander.js template (contrary to the SKILL.md), and package.json unconditionally includes commander and chalk; (2) the generated JavaScript contains a syntax error (extra closing parenthesis in 'new Command());') that will break the scaffolded CLI; (3) SKILL.md shows flag-style CLI options, but the script expects positional arguments — the interfaces are mismatched; (4) run the script only in an isolated directory or container to avoid unexpected file writes, and consider fixing the script (syntax error and framework selection logic) or using a vetted generator instead; (5) if you plan to execute generated package scripts (npm install, npm publish), review package.json and node scripts first. If you want higher assurance, ask the author for an updated implementation that actually implements framework selection, corrects the JS syntax, and documents exact usage.

Like a lobster shell, security has layers — review code before you run it.

clivk97c46ssamt4m4km8a14cbhr9n8251hxcommandervk97c46ssamt4m4km8a14cbhr9n8251hxgeneratorvk97c46ssamt4m4km8a14cbhr9n8251hxlatestvk97c46ssamt4m4km8a14cbhr9n8251hxscaffoldvk97c46ssamt4m4km8a14cbhr9n8251hx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis

Comments