ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cover Letter Drafter

v0.1.1

Generates professional cover letters for journal submissions and job applications in medical and academic contexts.

0· 111·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and SKILL.md: a small Python script that generates cover letters for journal, job, and fellowship use cases. There are no unexpected binaries, env vars, or cloud credentials requested.
Instruction Scope
Runtime instructions and examples are scoped to running the local script with CLI args. The code only formats templates and writes JSON output. However, the script will write whatever path is provided to --output without validating or restricting paths (no ../ traversal protection), and user-supplied fields are interpolated directly into templates without sanitization.
Install Mechanism
No install specification — instruction-only plus a small local Python script. Nothing is downloaded or written by an installer.
Credentials
No environment variables, credentials, or config paths are requested. The requested footprint is minimal and proportionate to the stated function.
Persistence & Privilege
always is false and the skill does not request permanent/system-wide changes. It only runs when invoked and writes output to the specified path; it does not modify other skills or global agent config.
Assessment
This skill appears to be what it claims: a small local Python tool for drafting cover letters. Before running it, consider these practical cautions: (1) The script will write to whatever path you pass to --output without checking for ../ traversal or restricting destination — avoid passing sensitive system paths and run in a sandboxed workspace. (2) User-supplied fields (recipient, key-points, title, significance, etc.) are interpolated directly into templates without sanitization; do not feed sensitive or untrusted data if you care about leakage or formatting surprises. (3) The SKILL.md lists checklist items (prompt-injection protections, input validation) but the code does not implement them — treat those as TODOs, not guarantees. If you need stronger guarantees, run the script in an isolated environment, review/modify templates to fit your privacy needs, and ensure output paths are safe before enabling automated/autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk973a48tj393vjv1akba11yke9832ahb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments