ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Estimate Generator

v2.1.0

Automatically generate estimates from QTO data. Apply pricing rules to BIM quantities for cost estimates.

0· 1.3k·1 current·1 all-time
by@datadrivenconstruction
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: it expects QTO/BIM input and applies pricing rules. However, the embedded Python implementation uses pandas (and likely other Python libraries) but the declared requirements only list python3; those additional runtime dependencies are not declared in the metadata or an install spec.
Instruction Scope
Instructions limit the agent to parsing user-provided QTO data, mapping to pricing rules, and producing structured estimates. There are no instructions to read unrelated system files, call external endpoints, or exfiltrate data in the visible content.
Install Mechanism
This is an instruction-only skill with no install spec (lowest install risk). That said, the runtime code shown requires Python libraries (pandas, possibly openpyxl, etc.) but no installation steps are provided — an operational gap that could lead an agent to attempt installing packages at runtime or fail unexpectedly.
Credentials
No environment variables or external credentials are requested, which is appropriate for an offline estimate generator that uses user-supplied QTO data. The lack of secret access is proportionate to the stated purpose.
Persistence & Privilege
claw.json includes a filesystem permission. That is reasonable for reading user-supplied CSV/Excel files, but it is broad: the skill metadata does not constrain which paths the agent may access. Because no install step or explicit file-path constraints are provided, confirm how filesystem access will be limited in your environment before enabling the skill.
What to consider before installing
This skill appears to do what it says (generate cost estimates from QTO data), but there are a few things to check before installing: - Dependencies: The included Python code uses pandas (and may need Excel libraries). Ask the publisher for a dependency list or an install spec, or run the skill in a sandboxed environment to avoid unexpected package installs. - Filesystem access: The skill metadata requests filesystem permission. Ensure the agent's runtime will restrict the skill to only the files you explicitly provide (do not grant unrestricted access to your home or system directories). - Source and provenance: The source is listed as 'unknown' and the homepage is an external domain. If you plan to use this in production, verify the publisher and ask for a canonical package/release or a git repo so you can review the complete code. - Test with non-sensitive data first: Run the skill on synthetic or redacted QTO data to confirm behavior and outputs before feeding real project files. If the publisher can provide: (1) a full dependency list and install instructions, (2) confirmation of no external network calls, and (3) a narrower filesystem access scope or explicit instructions for expected file paths, the concerns above would be largely resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a4ryscsj2082zvrkhzas2d1813t95

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
OSmacOS · Linux · Windows
Binspython3

Comments