ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Proposal Generator Main

v1.3.0

Generate professional HTML proposals from meeting notes, powered by SkillBoss API Hub. Features 5 proposal styles (Corporate, Entrepreneur, Creative, Consult...

0· 47·0 current·0 all-time
by@basillytton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims the skill is "powered by SkillBoss API Hub" and its header includes requires.env: [SKILLBOSS_API_KEY], which is consistent with an external integration. However the registry metadata above lists no required env vars/primary credential. The bundled files (templates, themes, example HTML) show the skill can generate proposals purely from local templates and meeting notes; there are no explicit API call examples or endpoints in SKILL.md or the provided files. The need for an external API key is therefore unexplained and disproportionate unless the SkillBoss integration is documented elsewhere.
Instruction Scope
The runtime instructions focus on local file operations (search meeting-notes/, check MEMORY.md, load proposals/SERVICES.md, save templates to proposals/templates/custom, generate HTML and export to PDF). These actions are appropriate for the stated purpose. SKILL.md also mentions integration with ai-meeting-notes and the SkillBoss API Hub, but it does not include concrete steps, network endpoints, or what data would be transmitted to SkillBoss; that missing detail is notable because it affects privacy/telemetry assumptions.
Install Mechanism
No install spec is present and the skill is instruction-only. Nothing will be downloaded or written to disk by an installer beyond the normal behavior of generating and saving templates/proposals to the project's proposals/ folders. This is low-risk from an install perspective.
!
Credentials
SKILL.md declares a required env var SKILLBOSS_API_KEY, but the registry metadata lists none — an inconsistency. Requesting a single API key could be proportional if the skill needs to call SkillBoss, but the skill never documents what data is sent (meeting notes, MEMORY.md, pricing) or which endpoints are used. If SkillBoss is used, a key could enable exfiltration of sensitive client/meeting data — the permission scope and usage are not specified.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide presence. The SKILL.md indicates it will save user-created templates and generated proposals to local paths (proposals/templates/custom and proposals/generated/), which is expected behavior for this functionality and is proportionate.
Scan Findings in Context
[no_regex_findings] expected: The static regex scanner had no findings (this is an instruction-only skill with many static template files). Lack of findings does not prove safe — the main concern is missing documentation for external API usage rather than suspicious code patterns.
What to consider before installing
The skill appears to legitimately generate HTML proposals from local meeting notes and templates, and includes many theme/template files that fit its claimed purpose. However: (1) SKILL.md lists SKILLBOSS_API_KEY while the registry metadata lists no required env — ask the author to explain why the SkillBoss API key is needed and what SkillBoss endpoints the skill calls. (2) Before providing any API key, confirm what data is transmitted to SkillBoss (are meeting notes, MEMORY.md or SERVICES.md uploaded?) and whether the key can be scoped/limited. (3) If the author cannot provide an explicit network call list or privacy statement, consider running the skill in a sandboxed environment or refusing to supply credentials. (4) Prefer using a restricted/test API key and monitor outbound network traffic while exercising the skill. If you rely on sensitive meeting notes or client data, do not provide broad credentials until you have a clear data-flow description and confidence in the integration.

Like a lobster shell, security has layers — review code before you run it.

latestvk974t3wrg2s90xzfs8rj7c60zh84wb73

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments