ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Grant Proposal Assistant

v0.1.0

Grant proposal writing assistant for NIH (R01/R21), NSF and other mainstream funding applications. Triggers when user needs help writing specific aims, resea...

0· 81·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (grant proposal assistance) matches included assets: templates, examples, a Python script to generate sections and a review mode. No unrelated binaries, external cloud credentials, or opaque third-party services are requested.
Instruction Scope
SKILL.md instructs running scripts/main.py to generate sections and to read an input proposal for review — this is expected. However the doc's security checklist claims input path validation (no '../' traversal) and sanitized errors but the shipped SKILL.md and visible portions of scripts/main.py do not show enforcement. The review feature will necessarily read user-provided files; confirm the implementation sanitizes/validates paths and does not read unrelated system files.
Install Mechanism
Instruction-only skill with no install spec and a small Python script that uses only standard-library modules. No downloads, packages, or external installers are invoked in SKILL.md or the visible code.
Credentials
The skill requests no environment variables or credentials and does not declare any privileged config paths. That is proportionate for a local template/generator and reviewer tool.
Persistence & Privilege
always:false and no indication the skill attempts to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined here with broad access.
What to consider before installing
This skill appears to do what it says (generate templates and review proposals) and uses only standard Python libraries, but take these precautions before running or installing it: 1) Inspect the full scripts/main.py (the provided snippet is truncated) to confirm there are no network calls, subprocess.exec, or unexpected file-system accesses. 2) Verify that the review functionality sanitizes and validates input file paths (prevents '../' traversal) before feeding any real proposal/PII; test it first with non-sensitive/sample files. 3) Note a documentation mismatch: SKILL.md references a budget_templates.xlsx but the manifest only contains budget_templates.md — confirm whether any binary/reference files are missing. 4) Run the script in an isolated/sandboxed environment (or container) if you intend to process sensitive institutional documents. If you cannot inspect the full code, do not run it on confidential proposals or files containing PII/credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ez7my6yr9akgyq6e9n3mzfd83e6cp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments