Skillget

create-claude

mcp
Security Audit
Fail
Health Warn
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 6 GitHub stars
Code Fail
  • rm -rf — Recursive force deletion command in .github/workflows/publish.yml
  • fs.rmSync — Destructive file system operation in package.json
  • fs module — File system access in package.json
  • fs module — File system access in skel/.claude/hooks/format.cjs
  • rm -rf — Recursive force deletion command in skel/.claude/hooks/safety.cjs
  • process.env — Environment variable access in skel/.claude/hooks/safety.cjs
  • fs module — File system access in skel/.claude/hooks/safety.cjs
  • execSync — Synchronous shell command execution in skel/.claude/hooks/session-end.cjs
  • fs module — File system access in skel/.claude/scripts/statusline-detect.cjs
  • execSync — Synchronous shell command execution in skel/.claude/scripts/statusline-git.cjs
  • exec() — Shell command execution in skel/.claude/scripts/statusline-git.cjs
  • process.env — Environment variable access in skel/.claude/scripts/statusline-git.cjs
  • fs module — File system access in skel/.claude/scripts/statusline.cjs
  • rm -rf — Recursive force deletion command in skel/.claude/settings.local.json
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This MCP server and CLI tool scaffolds a pre-configured Claude Code environment for new projects. It automatically sets up configuration files, hooks, commands, and specialized sub-agents.

Security Assessment
Overall risk: Medium. The tool legitimately executes shell commands and modifies the file system as part of its scaffolding duties, but it does so using potentially unsafe methods. Multiple scripts rely on `execSync` and `exec()` for synchronous shell execution, and `rm -rf` is used extensively in safety hooks, scripts, and GitHub workflows. While the README claims operations feature timestamped backups and that the tool only creates rather than modifies files, the heavy use of recursive force deletion in JavaScript and JSON configuration files introduces a non-trivial risk of accidental data loss if a script encounters an error. Environment variables are also accessed to read local system data. No hardcoded secrets or explicit network requests were detected, but executing shell commands inherently exposes the system to injection if inputs are mishandled.

Quality Assessment
The project is very new and has extremely low visibility with only 6 GitHub stars, meaning it has not been widely battle-tested or reviewed by the community. However, it is actively maintained (last push was today), includes a clear description, and uses a standard MIT license, making it legally safe to adopt.

Verdict
Use with caution—the project shows active maintenance and solid intentions, but developers should carefully review the shell execution and recursive deletion logic before deploying it in critical environments.
SUMMARY

Claude Code setup that just works. Bootstrap every project with agents, hooks, commands, and smart permissions. One command, zero headaches.

README.md

create-claude

Claude Code setup that just works. Bootstrap every project with agents, hooks, commands, and smart permissions. One command, zero headaches.

version
downloads
package size
license

Quick Start

npm create claude

Adds local Claude Code config files to your project. ZERO dependencies, ZERO overhead.

Installation Options

Package Managers

npm create claude               # npm
pnpm create claude              # pnpm  
bun create claude               # bun
yarn create claude              # yarn

Flags

npm create claude --dry-run     # Preview files
npm create claude --help        # All options

Shortcuts

cld                             # Short alias
npx cld                         # Via npx

Programmatic Usage

Installation

npm i create-claude

Usage

import { init } from 'create-claude';

await init('./my-project');

Features

Maximum Autonomy with Safety

  • bypassPermissions mode: Claude Code operates freely while dangerous operations are blocked
  • Smart safety hooks: Only blocks truly destructive commands (rm -rf /, sudo rm, disk formatting)
  • Delete confirmations: All file/directory deletions require explicit user approval

8 Custom Slash Commands

  • /commit: Create git commits with Haiku model for cost efficiency
  • /explain: Get concise code explanations
  • /fix: Fix issues with structured approach
  • /optimize: Performance improvements
  • /pr: Create pull requests with git context
  • /review: Brutal code reviews
  • /test: Run tests with pattern support
  • /validate: Lint, typecheck, and format

3 Specialized Subagents

  • pre-commit: Ruthless validation before commits
  • refactor: Aggressive complexity reduction
  • debugger: Root cause analysis and fixes

Production-Ready Configuration

  • Session hooks: Automatic cleanup on exit
  • Advanced statusline: Git status, framework detection, color-coded information with modular helpers
  • Import-based memory: CLAUDE.md uses @ imports for README and dynamically includes project configs (package.json, Cargo.toml, etc.)
  • Terse output style: Minimal, efficient responses without bloat

FAQ

Is it safe to run?

Yes. It only creates config files, never modifies your code. Each file operation uses SHA256 checksums and creates timestamped backups.

# If something goes wrong, backups are here:
ls .create-claude-backup-*
How do I remove it?

Delete the config files:

rm -rf .claude CLAUDE.md

Your original code stays untouched.

What are the requirements?

That's it. No global installs, no dependencies.

Does it work with my tools?

It auto-detects:

  • Formatters: Prettier, ESLint, Biome, dprint
  • Package managers: npm, yarn, pnpm, bun
  • Languages: JavaScript, TypeScript, Python, Go, Rust
  • Frameworks: React, Vue, Next.js, etc.

Can't find your tool? It falls back to sensible defaults.

What files does it create?

Creates 20 files in total:

.claude/
├── settings.local.json     # Permissions, tool detection
├── hooks/
│   ├── format.cjs         # Auto-format on save
│   ├── safety.cjs         # Block dangerous operations
│   └── session-end.cjs    # Cleanup on exit
├── agents/
│   ├── pre-commit.md      # Ruthless validation
│   ├── refactor.md        # Complexity reduction
│   └── debugger.md        # Root cause analysis
├── commands/
│   ├── commit.md          # Git commits with Haiku
│   ├── explain.md         # Code explanations
│   ├── fix.md             # Structured fixes
│   ├── optimize.md        # Performance improvements
│   ├── pr.md              # Pull request creation
│   ├── review.md          # Brutal code reviews
│   ├── test.md            # Test runner
│   └── validate.md        # Lint, typecheck, format
├── scripts/
│   ├── statusline.cjs         # Git status in prompt
│   ├── statusline-git.cjs     # Git operations helper
│   └── statusline-detect.cjs  # Framework detection helper
└── output-styles/
    └── terse.md                # Minimal output style

CLAUDE.md                   # Project-specific instructions

Security

This project follows security best practices:

  • All dependencies are audited and kept up-to-date
  • Code is scanned with CodeQL and other security tools
  • OpenSSF Scorecard certified
  • Signed releases with build provenance

Report security issues: SECURITY.md

Contributing

Contributions welcome! Please read SECURITY.md first, then:

  1. Fork the repo
  2. Create a feature branch
  3. Run npm run validate before committing
  4. Submit a pull request

Links

IssuesChangelogClaude Code DocsSecurity

License

MIT © RMNCLDYO

Reviews (0)

No results found