auto-init

Scaffolds AI automation for projects, configuring infrastructure and validating setups for hub or consumer roles.

Install this skill

or

18/100

Security score

The auto-init skill was audited on Apr 6, 2026 and we found 30 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 7

Webhook reference - potential data exfiltration

SourceSKILL.md

7	You scaffold and configure AI automation for the current project. First asks whether this is the hub (full setup: all agents + Lambda + webhooks + AWS resources) or a consumer (PR + delegation

medium line 82

Webhook reference - potential data exfiltration

SourceSKILL.md

82	> Which project is the automation hub? This is the project that owns the Lambda functions and webhooks. Pipeline IDs from this repo will be registered in the hub's Lambda env vars.

medium line 87

Webhook reference - potential data exfiltration

SourceSKILL.md

87	> Is this the main project for AI automation? The main project owns all AWS infrastructure (Lambda, DynamoDB, webhooks) and runs all work-item-triggered agents. Other projects are consumers — they

medium line 89

Webhook reference - potential data exfiltration

SourceSKILL.md

89	> 1. Yes — this is the hub — Set up all agents + Lambda + webhooks + AWS resources

medium line 152

Webhook reference - potential data exfiltration

SourceSKILL.md

152	Scaffolding is profile-aware. Consumer profile gets a minimal subset — only pipeline YAMLs and config. They NEVER get Lambda handlers, webhook config, or AWS resource definitions.

medium line 177

Webhook reference - potential data exfiltration

SourceSKILL.md

177	Consumer: Copy ONLY the relevant subset — no Lambda, no webhook config, no AWS resource scripts:

medium line 227

Webhook reference - potential data exfiltration

SourceSKILL.md

227	- `hubProject`: from Question 5c (the project owning Lambda/webhooks)

medium line 229

Webhook reference - potential data exfiltration

SourceSKILL.md

229	- `webhooks.pr-answer`: entry for the repo-scoped PR Answer hook (URL left as placeholder — filled by `/auto-webhooks` using the hub's Lambda URL)

low line 253

Webhook reference - potential data exfiltration

SourceSKILL.md

253	BASIC_USER= # Webhook basic auth username

low line 254

Webhook reference - potential data exfiltration

SourceSKILL.md

254	BASIC_PASS= # Webhook basic auth password

low line 255

Webhook reference - potential data exfiltration

SourceSKILL.md

255	WEBHOOK_SECRET= # Shared webhook secret header value

low line 346

Webhook reference - potential data exfiltration

SourceSKILL.md

346	5. `/auto-webhooks` — Configure ADO service hooks

low line 361

Webhook reference - potential data exfiltration

SourceSKILL.md

361	Hub project: <hub project name> (owns Lambda + webhooks)

low line 379

Webhook reference - potential data exfiltration

SourceSKILL.md

379	3. `/auto-webhooks` — Create repo-scoped PR Answer hook + PR Review build policy

medium line 412

Webhook reference - potential data exfiltration

SourceSKILL.md

412	- Non-hub repos MUST NOT touch AWS — for `consumer` profile: never scaffold Lambda handlers, AWS resource definitions, deploy scripts, or CloudWatch alarms. Never ask for AWS region, resource pref

medium line 16

Access to .env file

SourceSKILL.md

16	\| Data bundle (.ai/automation/) \| Compare against plugin data → update silently if plugin files changed (preserving user-filled values in infra.json, repos.json, .env) \|

medium line 18

Access to .env file

SourceSKILL.md

18	\| Generated files (infra.json, repos.json, .env.template) \| Validate structure and required fields exist — report missing fields from newer templates \|

medium line 238

Access to .env file

SourceSKILL.md

238	### 2.6. Generate `.ai/automation/.env.template`

low line 242

Access to .env file

SourceSKILL.md

242	cat > .ai/automation/.env.template << 'EOF'

low line 244

Access to .env file

SourceSKILL.md

244	# Copy to .env and fill in values. NEVER commit .env to git.

medium line 265

Access to .env file

SourceSKILL.md

265	Consumer: Generate a shorter `.env.template` with only the variables needed for pipeline agents (no Lambda/AWS vars):

low line 267

Access to .env file

SourceSKILL.md

267	cat > .ai/automation/.env.template << 'EOF'

low line 269

Access to .env file

SourceSKILL.md

269	# Copy to .env and fill in values. NEVER commit .env to git.

low line 333

Access to .env file

SourceSKILL.md

333	- `.ai/automation/.env.template` — credential reference (copy to `.env`, never commit)

low line 369

Access to .env file

SourceSKILL.md

369	- `.ai/automation/.env.template` — credential reference

low line 127

External URL reference

SourceSKILL.md

127	> Example: `https://dev.azure.com/myorg/myproject/_wiki/wikis/MyWiki/123/Definition-of-Ready`

low line 134

External URL reference

SourceSKILL.md

134	> Example: `https://author-myproject.adobeaemcloud.com`

low line 136

External URL reference

SourceSKILL.md

136	> (Leave blank for local AEM author at `http://localhost:4502`)

low line 141

External URL reference

SourceSKILL.md

141	> Example: `https://publish-myproject.adobeaemcloud.com`

low line 143

External URL reference

SourceSKILL.md

143	> (Leave blank for local AEM publisher at `http://localhost:4503`)

Scanned on Apr 6, 2026

View Security Dashboard

Installation guide →

GitHub Stars 3

Rate this skill

Categorydevelopment

UpdatedApril 10, 2026

openclaw devops backend devops-sre backend-developer growth-pm aws development product

easingthemes/dx-aem-flow