← 返回 Skills 市场
686
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install solo-scaffold
功能描述
Generate complete project from PRD + stack template — directory structure, configs, CLAUDE.md, git repo, and GitHub push. Use when user says "scaffold projec...
安全使用建议
Before installing or invoking: 1) Confirm how the skill will authenticate to GitHub — does it expect an existing SSH key or a GITHUB_TOKEN set in the agent environment? If automatic GitHub pushes are expected, require an explicit token or consent prompt. 2) Ask what SoloGraph/Context7 MCP access scopes are and whether they will read private repositories or metadata; if you don't want cross-repo analysis, disable those MCP calls or restrict the sibling projects. 3) Be aware the skill will create ~/.solo-factory/defaults.yaml and write files under your projects_dir; review that file and the generated repo before any remote push. 4) If you are uncomfortable with automatic remote pushes, run the scaffold locally (generate files) and perform git init/git push manually after reviewing. 5) If you want higher assurance, request the skill author to declare required env vars (e.g., GITHUB_TOKEN, optionally GIT_SSH_COMMAND or path to ssh key) and to include a dry-run/preview-only mode that never performs network pushes.
功能分析
Type: OpenClaw Skill
Name: solo-scaffold
Version: 1.5.1
The skill is classified as suspicious due to critical vulnerabilities related to input sanitization and the broad use of powerful tools. Specifically, the `SKILL.md` directly uses unsanitized `$ARGUMENTS` (e.g., `project-name`) in `Bash` commands like `mkdir`, `cd`, and `gh repo create`. This creates a severe shell injection and path traversal vulnerability, potentially allowing an attacker to execute arbitrary commands or write files outside the intended project directory. Additionally, the skill generates a new `SKILL.md` for the scaffolded project, which itself grants `Bash` execution capabilities to the agent, posing a risk for persistent prompt injection or chained execution if the initial input is malicious.
能力评估
Purpose & Capability
The skill claims to create a git repo and push to GitHub, and to study existing projects via SoloGraph/Context7. However, requires.env lists no GitHub token, SSH key, or other credentials; install spec is absent. Pushing to GitHub and interacting with org-level code normally requires explicit credentials or a declared auth flow. The skill also persists org defaults under ~/.solo-factory which is reasonable for a scaffolder, but that does not justify omitting GitHub auth details.
Instruction Scope
SKILL.md explicitly instructs the agent to read local templates, PRD files, and to analyze sibling projects via multiple MCP SoloGraph calls (project_info, code_search, codegraph_explain, et cetera). This is coherent with the stated goal (making generated projects consistent with portfolio), but it means the skill will access other projects' source and metadata — potentially sensitive — and will create files in the user's home and projects directory. The SKILL.md limits sibling-project research to 2–3 projects, which mitigates but does not eliminate privacy risk.
Install Mechanism
Instruction-only skill with no install steps and no code files. This is the lowest install risk: nothing is downloaded or written by an installer beyond what the instructions themselves create at runtime.
Credentials
No required environment variables or primary credential are declared, yet the skill intends to push to GitHub and may interact with Context7 and SoloGraph MCPs. That omission is disproportionate: at minimum a GITHUB_TOKEN or an explicit note that the agent will use existing local git/SSH config should be declared. It also writes ~/.solo-factory/defaults.yaml (containing org_domain, github_org, apple_dev_team) which could be sensitive; the skill does prompt the user for those values but will persist them.
Persistence & Privilege
The skill writes persistent config to ~/.solo-factory/defaults.yaml and creates project directories/files under the user's projects_dir. It does not request always:true and does not modify other skills. Persisting org defaults and generating repo files is reasonable for scaffolding but users should be aware it will leave files on disk and may push to remote repositories if credentials are available in the environment.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install solo-scaffold - 安装完成后,直接呼叫该 Skill 的名称或使用
/solo-scaffold触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.5.1
Universalize: remove project-specific references, add SearXNG recommendation
v1.5.0
Initial publish
元数据
常见问题
Scaffold 是什么?
Generate complete project from PRD + stack template — directory structure, configs, CLAUDE.md, git repo, and GitHub push. Use when user says "scaffold projec... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 686 次。
如何安装 Scaffold?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install solo-scaffold」即可一键安装,无需额外配置。
Scaffold 是免费的吗?
是的,Scaffold 完全免费(开源免费),可自由下载、安装和使用。
Scaffold 支持哪些平台?
Scaffold 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Scaffold?
由 Rust(@fortunto2)开发并维护,当前版本 v1.5.1。
推荐 Skills