Code Generator

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a benign code-template generator, but it uses local scripts with under-declared runtime requirements and one helper keeps local generation history.

Use this skill as a local code-scaffolding helper. Before installing or invoking it, review the included shell scripts, be aware that Bash/Python are required despite the registry metadata, avoid placing secrets in prompts or generator names, and treat all generated code as draft scaffolding that needs testing and security review.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A user may not realize from the registry metadata that using the skill involves running local shell/Python scripts.

Why it was flagged

The registry metadata under-declares the local execution model because the skill ships runnable scripts and SKILL.md lists Bash/Python requirements. This is purpose-aligned, but users should notice the discrepancy before running scripts.

Skill content

Required binaries (all must exist): none ... No install spec — this is an instruction-only skill. ... Code file presence: scripts/codegen.sh; scripts/script.sh

Recommendation

Review the included scripts before use and ensure Bash 4+ and Python 3 are available; registry metadata should declare these requirements.

Low

#ASI06: Memory and Context Poisoning

What this means

Project names or generation details could remain on disk in the user's local data directory.

Why it was flagged

The helper script creates a persistent local data directory and exposes history/logging hooks for generated items, so some generation activity may be stored locally.

Skill content

DATA_DIR="${CODE_GEN_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/code-generator}"
mkdir -p "$DATA_DIR"
...
history                     Recently generated files
...
_log "class" "$name ($lang)"

Recommendation

Avoid putting secrets in generator names/descriptions, and clear or redirect the history directory if local retention is not desired.

Low

#ASI09: Human-Agent Trust Exploitation

What this means

A user could copy generated code assuming it is complete when parts still require implementation and testing.

Why it was flagged

Some generated output is explicitly placeholder scaffolding, so users should not rely on it as complete production-ready code without review.

Skill content

print('    # TODO: Implement {} logic'.format(desc))
print('    result = n  # placeholder')

Recommendation

Treat generated code as a starting point; review, complete, test, and security-check it before running or deploying it.