Sovereign project-setup-wizard

Generates production-ready project scaffolds for Node.js, Python, Go, or Rust with directory, .gitignore, README, CI/CD, Docker, linting, testing, and licens...

This skill appears to be what it says: a local project scaffolder implemented as a bash script. Before installing/running it: (1) run it in dry-run mode (--dry-run) and inspect the generated content; (2) review the scripts/setup.sh file for any commands that would run package managers (npm/pip/go/cargo) or initialize remotes/perform network access; (3) if you want extra safety, run the script in an isolated directory or container; (4) be aware the tool may initialize a git repo by default — use --no-git-init if you prefer to avoid that; (5) verify the repository/homepage links (skill.json points to a GitHub repo and a ClawHub URL) if you need additional provenance. If you see unexpected network calls, credential prompts, or modifications outside the output directory, do not run it.

Type: OpenClaw Skill Name: sovereign-project-setup-wizard Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability (Remote Code Execution) present in `scripts/setup.sh`. User-controlled inputs such as `PROJECT_NAME`, `DESCRIPTION`, `AUTHOR_NAME`, and `AUTHOR_EMAIL` (obtained via command-line arguments, interactive prompts, or environment variables) are directly interpolated into shell commands and here-documents without proper sanitization. This allows an attacker to inject and execute arbitrary shell commands by crafting malicious input, for example, by providing a project name like `my-app$(rm -rf /)`.