Generate new projects with standardized structure, tooling, and configuration for web, API, mobile, CLI, or browser extension apps.
Security Analysis
medium confidenceInstruction-only scaffolding guide appears useful, but the skill's metadata doesn't declare required tools and the SKILL.md contains inconsistent/incorrect commands (e.g., 'uv' usage), so the package is internally inconsistent and should be verified before use.
The SKILL.md clearly expects platform toolchains (node/npx/npm, Python/pip/uvicorn, Swift/Xcode, git) and network installs, but the skill metadata declares no required binaries or environment variables. A scaffolder should list the CLIs it calls; omitting them is an incoherence. Additionally the FastAPI example uses 'uv init && uv pip install fastapi uvicorn', which is not a standard command and appears to be a typo or reference to an undeclared CLI.
Instructions are focused on scaffolding and include concrete shell commands (npx create-next-app, npm install, mkdir, git init/commit). They don't ask to read arbitrary files or exfiltrate data, but they do instruct performing package installs and committing to git — actions that access the network and local repo state. The 'uv' command is ambiguous/incorrect and needs correction; otherwise the scope is appropriate for a scaffolding skill.
No install spec or code files are present (instruction-only), so there's no added install-time risk from downloads or archives being written to disk by the skill itself.
The skill requests no environment variables and no credentials, which is proportionate. It does mention .env in the .gitignore and references config.py for settings, but doesn't request secrets. Users should still be aware the scaffolded projects may include instructions to use env vars and will likely cause developers to create or store secrets locally.
The skill is not always-enabled and doesn't request persistent privileges. Autonomous invocation is allowed by platform default but not combined with any other high-risk factor in this package.
Guidance
This skill is an instruction-only project scaffolder and has low installation risk, but there are internal inconsistencies you should resolve before using it: 1) The metadata claims no required binaries, yet the instructions call many CLIs (node/npx/npm, git, python/pip/venv, swift/Xcode). Ensure those tools exist in your environment before running any commands. 2) Fix the apparent typo 'uv init && uv pip install fastapi uvicorn' — replace with standard Python steps (for example: python -m venv .venv && source .venv/bin/activate && pip install fastapi uvicorn) or clarify what 'uv' refers to. 3) Expect network activity: npx/npm and pip will download packages — run in a network-safe sandbox/CI or review packages you allow. 4) Review generated files (package.json, pyproject/requirements, build scripts) for any unexpected postinstall hooks. 5) Because this is instruction-only, it won't itself install code, but following the commands will modify your system/repo; run them in a disposable directory or VM until you confirm the commands are correct. If the publisher can clarify required binaries and correct the FastAPI commands, the skill would be coherent and usable.
Latest Release
v1.0.0
Initial release of project-scaffold. - Provides boilerplate project structures for web apps (React/Next.js), APIs (FastAPI), mobile apps (SwiftUI), CLI tools, and browser extensions. - Includes recommended file/folder organization and relevant initialization commands for each project type. - Offers a universal .gitignore template and a post-scaffold checklist for next steps. - Guides users to ask or infer project type and then generates appropriate scaffolding.
More by @cmanfre7
Published by @cmanfre7 on ClawHub
