Package.json Generator

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a simple local package.json generator; the main caution is that running its script can overwrite an existing package.json.

This skill looks benign for generating a package.json. Before using it, make sure you are in the correct project folder and that you are comfortable replacing any existing package.json file.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If run in the wrong directory, it may replace an existing package.json and affect a project’s npm configuration.

Why it was flagged

The script directly writes a package.json in the current directory and interpolates user-provided arguments. This is aligned with the generator purpose, but it can overwrite an existing package.json and unusual argument values could produce malformed JSON.

Skill content

NAME="${1:-my-project}"
VERSION="${2:-1.0.0}"

cat > package.json << JSON
{
  "name": "$NAME",
  "version": "$VERSION",

Recommendation

Run it only in the intended project directory, back up any existing package.json first, and use simple trusted package names and version strings. A safer implementation would warn before overwriting and JSON-escape inputs.