ClawHub
Skill blocked — malicious content detected

ClawHub Security flagged this skill as malicious. Downloads are disabled. Review the scan results below.

Senior Fullstack

v2.1.1

Fullstack development toolkit with project scaffolding for Next.js, FastAPI, MERN, and Django stacks, code quality analysis with security and complexity scor...

2· 2k·17 current·17 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included assets: SKILL.md documents scaffolding and analysis workflows and the package contains two Python scripts (project_scaffolder.py and code_quality_analyzer.py) plus reference guides. Nothing in the manifest requests unrelated credentials, binaries, or services.
Instruction Scope
Runtime instructions tell the agent/user to run the included Python scripts against a given path (e.g., '.' or /path/to/project). That is expected for a scaffolder/analyzer, but both scripts read and write files under the given path. The analyzer will scan files (including .env/.env.example and config files) for secrets and security patterns — so running it against broad system paths (or root) could surface sensitive data. SKILL.md does not instruct any network exfiltration and the scripts contain no outbound network code, but exercise caution about what path you analyze and about where you store/report analyzer output.
Install Mechanism
No install spec is provided; this is instruction-only and includes local Python scripts. No downloads, package installs, or third‑party install URLs are present in the manifest.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. A minor issue: the scaffolder generates example config files containing default placeholders (e.g., DATABASE_URL with 'user:pass' and SECRET_KEY 'change-me-in-production') — convenient for bootstrapping but insecure if left in production. The analyzer searches for hardcoded secrets and other sensitive strings (expected), so be aware it will surface any secrets present in scanned paths.
Persistence & Privilege
Skill is not forced-always and does not request elevated platform privileges. It does write scaffolded files into the output directory when used (expected) but does not modify other skills or system-wide configurations.
Assessment
This skill appears to do what it says: generate project boilerplate and run a local code-quality/security scan. Before using it: (1) only point the analyzer at project directories you control (avoid /, /home, or system folders) because it reads files and can surface secrets; (2) inspect generated scaffold files and .env.example values and replace default placeholders (SECRET_KEY, DB credentials) before deploying; (3) treat analyzer output as advisory — its heuristics are simplified and may produce false positives/negatives; (4) do not upload or share reports that may contain discovered secrets. If you need stronger guarantees, run the scripts in an isolated environment (container) and review the scripts' source before executing.
scripts/project_scaffolder.py:352
Environment variable access combined with network send.
Critical security concern
These patterns indicate potentially dangerous behavior. Exercise extreme caution and review the code thoroughly before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d02y2vxd3hj12b3s2zfp7m582ky1e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments