Auto Estimate Generator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: auto-estimate-generator Version: 2.1.0 The skill is classified as suspicious due to an arbitrary file write vulnerability in the `export_to_excel` function within `SKILL.md`. This function takes an `output_path` argument, which, if user-controlled and unsanitized by the OpenClaw agent, could allow an attacker to overwrite arbitrary files on the system. The `claw.json` file explicitly requests `filesystem` permissions, which enables this risky operation. While there is no clear evidence of intentional malicious behavior like data exfiltration or backdoors, this vulnerability presents a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant may be able to read local files if directed to use them for estimating workflows.
The skill requests filesystem access. This is coherent with parsing user-provided QTO CSV/Excel data, but it is still a tool capability users should notice.
"permissions": ["filesystem"]
Only provide the project files needed for the estimate and avoid granting access to unrelated sensitive folders.
The version mismatch may make it slightly harder to confirm exactly which packaged release is being reviewed or installed.
The registry metadata lists version 2.1.0, while claw.json lists 2.0.0, creating a small package metadata consistency issue.
"version": "2.0.0"
Confirm the publisher and intended version before installation if version provenance matters for your workflow.