Cwicr Cost Calculator
v2.1.0Calculate construction costs using DDC CWICR resource-based methodology. Break down costs into labor, materials, equipment with transparent pricing.
⭐ 0· 1.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, instructions, and embedded Python implementation all describe a resource-based CWICR cost calculator — that is coherent. However the SKILL references a large CWICR database (55k+ items) but provides no dataset, no config path, and no guidance where the data is stored. claw.json declares filesystem permission which suggests the skill expects to read local files; this capability is plausible for the stated purpose but the relationship is underspecified.
Instruction Scope
The runtime instructions focus on identifying work items, looking up norms, applying prices, and producing breakdowns — all within scope. The SKILL.md also includes Python code and explicitly instructs installing packages (pip install pandas numpy). The instructions do not attempt to read unrelated system files or request secrets, but they are open-ended about where to obtain the CWICR database and 'current unit prices', giving the agent broad discretion to ask the user or load local files.
Install Mechanism
There is no formal install spec (instruction-only), yet SKILL.md tells the user to run pip install pandas numpy. That is common for Python snippets but is an unstated side-effect: it requires network access and package installation if the environment lacks them. No URLs or external installers are embedded in the skill itself.
Credentials
The skill requests no environment variables, no credentials, and declares no required config paths. That is proportionate for a calculation tool. The only permission in claw.json is 'filesystem', which is reasonable if the skill needs to read a local CWICR dataset — but the dataset path is not declared.
Persistence & Privilege
always:false and default autonomous invocation are set (normal). The skill does not request persistent elevated privileges. The one notable privilege is claw.json's 'filesystem' permission; combined with lack of explicit data-path declarations, this could allow the agent to read arbitrary files if the runtime enforces that permission broadly. This is not definitive malicious behavior but it is a scope gap to clarify.
What to consider before installing
What to check before installing or using this skill:
- Ask the publisher where the CWICR dataset (the 55k work items) is expected to come from. If you must supply the dataset, confirm the exact file path and format before allowing filesystem access.
- Confirm whether your runtime will actually execute the provided pip install commands; if so, run them in a controlled environment (virtualenv/container) rather than your main system.
- Verify claw.json's filesystem permission scope with your platform: ensure the skill can only read the intended dataset and not arbitrary files.
- Because the skill has no declared install spec or packaged dataset, expect some manual setup (installing pandas/numpy, supplying the CWICR CSV/DB). If you do not trust the source (owner ID unknown), avoid giving it access to sensitive files.
- Note there are no credentials requested (good). If the skill later asks for external endpoints, API keys, or uploads data, treat that as a significant change and re-evaluate.
- If you need higher assurance, request the dataset source, a formal install script, or a signed release from the publisher before running the skill in production.Like a lobster shell, security has layers — review code before you run it.
latestvk973d6t5prwa5enb6hmthnjnm1812s6t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💰 Clawdis
OSmacOS · Linux · Windows
Binspython3