Serverless Template Generator

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill is a mostly coherent serverless template generator, but its shell script writes files using unsanitized user-controlled names, which can overwrite files outside the intended template folder.

Use this skill only in a safe working directory, choose simple names without slashes or '..', and review the generated files before running npm install or npm run deploy. Deployment can publish to real cloud accounts, so confirm the target provider account and project first.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A malformed or malicious function name could make the generator create or overwrite files in unexpected locations on the user's machine.

Why it was flagged

The script places a user-controlled function name directly into a file path. A name containing path separators such as '../' could cause writes outside the intended generated template directory, potentially overwriting local files.

Skill content

NAME="${1:-my-function}" ... cat > "$PLATFORM/api/$NAME.js"

Recommendation

Only use simple project/function names, avoid slashes or '..', run the generator in a disposable working directory, and add validation that restricts names to safe characters before writing files.

Low

#ASI03: Identity and Privilege Abuse

What this means

If the user runs the generated deploy script, it may deploy to a real cloud account or production environment.

Why it was flagged

The generated package.json includes a deployment script that can publish to a cloud provider using whatever provider account or CLI session is available.

Skill content

"deploy": "$PLATFORM deploy --prod"

Recommendation

Review the generated deployment target, logged-in cloud account, and CLI permissions before running npm run deploy.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The generator itself may be simple, but deployment requires external tools and provider logins that should be installed from trusted sources.

Why it was flagged

The skill says no extra dependencies are needed, but its documented deployment commands reference provider CLIs such as vercel, netlify, and wrangler. This is purpose-aligned for deployment, but the dependency boundary is not clearly declared.

Skill content

## 安装

```bash
# 无需额外依赖
```

Recommendation

Install only official cloud provider CLIs and verify what account they are logged into before using the generated deploy commands.