← Back to Skills Marketplace
686
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install solo-scaffold
Description
Generate complete project from PRD + stack template — directory structure, configs, CLAUDE.md, git repo, and GitHub push. Use when user says "scaffold projec...
Usage Guidance
Before installing or invoking: 1) Confirm how the skill will authenticate to GitHub — does it expect an existing SSH key or a GITHUB_TOKEN set in the agent environment? If automatic GitHub pushes are expected, require an explicit token or consent prompt. 2) Ask what SoloGraph/Context7 MCP access scopes are and whether they will read private repositories or metadata; if you don't want cross-repo analysis, disable those MCP calls or restrict the sibling projects. 3) Be aware the skill will create ~/.solo-factory/defaults.yaml and write files under your projects_dir; review that file and the generated repo before any remote push. 4) If you are uncomfortable with automatic remote pushes, run the scaffold locally (generate files) and perform git init/git push manually after reviewing. 5) If you want higher assurance, request the skill author to declare required env vars (e.g., GITHUB_TOKEN, optionally GIT_SSH_COMMAND or path to ssh key) and to include a dry-run/preview-only mode that never performs network pushes.
Capability Analysis
Type: OpenClaw Skill
Name: solo-scaffold
Version: 1.5.1
The skill is classified as suspicious due to critical vulnerabilities related to input sanitization and the broad use of powerful tools. Specifically, the `SKILL.md` directly uses unsanitized `$ARGUMENTS` (e.g., `project-name`) in `Bash` commands like `mkdir`, `cd`, and `gh repo create`. This creates a severe shell injection and path traversal vulnerability, potentially allowing an attacker to execute arbitrary commands or write files outside the intended project directory. Additionally, the skill generates a new `SKILL.md` for the scaffolded project, which itself grants `Bash` execution capabilities to the agent, posing a risk for persistent prompt injection or chained execution if the initial input is malicious.
Capability Assessment
Purpose & Capability
The skill claims to create a git repo and push to GitHub, and to study existing projects via SoloGraph/Context7. However, requires.env lists no GitHub token, SSH key, or other credentials; install spec is absent. Pushing to GitHub and interacting with org-level code normally requires explicit credentials or a declared auth flow. The skill also persists org defaults under ~/.solo-factory which is reasonable for a scaffolder, but that does not justify omitting GitHub auth details.
Instruction Scope
SKILL.md explicitly instructs the agent to read local templates, PRD files, and to analyze sibling projects via multiple MCP SoloGraph calls (project_info, code_search, codegraph_explain, et cetera). This is coherent with the stated goal (making generated projects consistent with portfolio), but it means the skill will access other projects' source and metadata — potentially sensitive — and will create files in the user's home and projects directory. The SKILL.md limits sibling-project research to 2–3 projects, which mitigates but does not eliminate privacy risk.
Install Mechanism
Instruction-only skill with no install steps and no code files. This is the lowest install risk: nothing is downloaded or written by an installer beyond what the instructions themselves create at runtime.
Credentials
No required environment variables or primary credential are declared, yet the skill intends to push to GitHub and may interact with Context7 and SoloGraph MCPs. That omission is disproportionate: at minimum a GITHUB_TOKEN or an explicit note that the agent will use existing local git/SSH config should be declared. It also writes ~/.solo-factory/defaults.yaml (containing org_domain, github_org, apple_dev_team) which could be sensitive; the skill does prompt the user for those values but will persist them.
Persistence & Privilege
The skill writes persistent config to ~/.solo-factory/defaults.yaml and creates project directories/files under the user's projects_dir. It does not request always:true and does not modify other skills. Persisting org defaults and generating repo files is reasonable for scaffolding but users should be aware it will leave files on disk and may push to remote repositories if credentials are available in the environment.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install solo-scaffold - After installation, invoke the skill by name or use
/solo-scaffold - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.5.1
Universalize: remove project-specific references, add SearXNG recommendation
v1.5.0
Initial publish
Metadata
Frequently Asked Questions
What is Scaffold?
Generate complete project from PRD + stack template — directory structure, configs, CLAUDE.md, git repo, and GitHub push. Use when user says "scaffold projec... It is an AI Agent Skill for Claude Code / OpenClaw, with 686 downloads so far.
How do I install Scaffold?
Run "/install solo-scaffold" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Scaffold free?
Yes, Scaffold is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Scaffold support?
Scaffold is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Scaffold?
It is built and maintained by Rust (@fortunto2); the current version is v1.5.1.
More Skills