← Back to Skills Marketplace
573
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install sovereign-project-setup-wizard
Description
Generates production-ready project scaffolds for Node.js, Python, Go, or Rust with directory, .gitignore, README, CI/CD, Docker, linting, testing, and licens...
Usage Guidance
This skill appears to be what it says: a local project scaffolder implemented as a bash script. Before installing/running it: (1) run it in dry-run mode (--dry-run) and inspect the generated content; (2) review the scripts/setup.sh file for any commands that would run package managers (npm/pip/go/cargo) or initialize remotes/perform network access; (3) if you want extra safety, run the script in an isolated directory or container; (4) be aware the tool may initialize a git repo by default — use --no-git-init if you prefer to avoid that; (5) verify the repository/homepage links (skill.json points to a GitHub repo and a ClawHub URL) if you need additional provenance. If you see unexpected network calls, credential prompts, or modifications outside the output directory, do not run it.
Capability Analysis
Type: OpenClaw Skill
Name: sovereign-project-setup-wizard
Version: 1.0.0
The skill is classified as suspicious due to a critical shell injection vulnerability (Remote Code Execution) present in `scripts/setup.sh`. User-controlled inputs such as `PROJECT_NAME`, `DESCRIPTION`, `AUTHOR_NAME`, and `AUTHOR_EMAIL` (obtained via command-line arguments, interactive prompts, or environment variables) are directly interpolated into shell commands and here-documents without proper sanitization. This allows an attacker to inject and execute arbitrary shell commands by crafting malicious input, for example, by providing a project name like `my-app$(rm -rf /)`.
Capability Assessment
Purpose & Capability
Name, description, SKILL.md, skill.json, and the included scripts align: a bash-based scaffolding tool that generates project files. Required tools (bash, git) in skill.json match the script behavior. Minor metadata mismatch: SKILL.md examples use the shorter slug 'project-setup-wizard' while the registry lists 'sovereign-project-setup-wizard', and skill.json includes a homepage URL although registry metadata showed none — these are metadata inconsistencies but not security issues.
Instruction Scope
SKILL.md instructs the agent to run the bundled script or use openclaw run/install and documents environment variables (PSW_*). The script prompts for project details, reads local git config for defaults, and writes files into the target directory. There are no instructions to read unrelated system files, call external endpoints, or exfiltrate data in the provided content.
Install Mechanism
No install spec is provided (instruction-only with an included script), so nothing is downloaded during install. The code is bundled in the skill (scripts/setup.sh) and will run locally; that is expected for a scaffolding tool and is lower risk than arbitrary network downloads.
Credentials
The skill does not declare or require secrets or external service credentials. SKILL.md documents optional PSW_* environment variables to pre-populate options (language, author, etc.), which is reasonable. The script reads git config for author defaults — normal and local-only.
Persistence & Privilege
always is false and the skill does not request system-wide persistence. It will create files/directories in the user-specified output directory and may initialize a git repository (configurable via flags). Autonomous invocation is allowed by default on the platform, which is normal; combined with no other red flags this is not concerning.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sovereign-project-setup-wizard - After installation, invoke the skill by name or use
/sovereign-project-setup-wizard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Sovereign project-setup-wizard?
Generates production-ready project scaffolds for Node.js, Python, Go, or Rust with directory, .gitignore, README, CI/CD, Docker, linting, testing, and licens... It is an AI Agent Skill for Claude Code / OpenClaw, with 573 downloads so far.
How do I install Sovereign project-setup-wizard?
Run "/install sovereign-project-setup-wizard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Sovereign project-setup-wizard free?
Yes, Sovereign project-setup-wizard is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Sovereign project-setup-wizard support?
Sovereign project-setup-wizard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Sovereign project-setup-wizard?
It is built and maintained by ryudi84 (@ryudi84); the current version is v1.0.0.
More Skills