ClawHub

AI Proposal Generator

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward proposal-generation skill, with normal local file use for meeting notes, pricing, and generated proposal outputs.

This skill looks safe to install for proposal drafting. Before using it, make sure your meeting notes, MEMORY.md, and SERVICES.md do not contain information you would not want included in a client proposal, and review the generated HTML before sending. If confidentiality is strict, consider removing the Google Fonts links from the template.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI06: Memory and Context Poisoning
What this means

Generated proposals could include private meeting details, client history, or pricing information from local files.

Why it was flagged

The skill intentionally uses local meeting notes, persistent memory, and pricing files as proposal context. This is expected for the purpose, but those sources may contain sensitive or outdated business information.

Skill content
1. Search `meeting-notes/` for client name
2. Check `MEMORY.md` for client history
3. Load `proposals/SERVICES.md` for pricing
Recommendation

Review drafts before finalizing or sending, keep meeting notes and MEMORY.md accurate, and avoid storing confidential material in these files unless you intend it to be used in proposals.

Info
#ASI07: Insecure Inter-Agent Communication
What this means

Anyone opening a generated proposal may make requests to Google Fonts, which can reveal basic access metadata such as IP address and user agent to that provider.

Why it was flagged

The proposal HTML template loads fonts from Google-hosted domains. This is common for polished HTML output, but opening or sharing the generated proposal may contact those external services.

Skill content
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Inter...
Recommendation

If proposals are highly confidential or must work offline, replace remote font links with local fonts or remove external font loading before sending.