ClawHub

AI Proposal Generator

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: ai-proposal-generator Version: 1.0.0 The OpenClaw skill bundle is designed to generate HTML proposals from meeting notes and templates. All file access instructions in SKILL.md are local and confined to expected directories (`meeting-notes/`, `proposals/`, `MEMORY.md`, `assets/`). The `assets/proposal-template.html` and example HTML files only load fonts from Google Fonts, which is a standard and benign practice. There are no signs of prompt injection against the AI agent, malicious execution, data exfiltration, persistence mechanisms, or obfuscation across any of the analyzed files. The skill's behavior is clearly aligned with its stated purpose.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI06: Memory and Context Poisoning
What this means

Generated proposals could include private meeting details, client history, or pricing information from local files.

Why it was flagged

The skill intentionally uses local meeting notes, persistent memory, and pricing files as proposal context. This is expected for the purpose, but those sources may contain sensitive or outdated business information.

Skill content
1. Search `meeting-notes/` for client name
2. Check `MEMORY.md` for client history
3. Load `proposals/SERVICES.md` for pricing
Recommendation

Review drafts before finalizing or sending, keep meeting notes and MEMORY.md accurate, and avoid storing confidential material in these files unless you intend it to be used in proposals.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

Anyone opening a generated proposal may make requests to Google Fonts, which can reveal basic access metadata such as IP address and user agent to that provider.

Why it was flagged

The proposal HTML template loads fonts from Google-hosted domains. This is common for polished HTML output, but opening or sharing the generated proposal may contact those external services.

Skill content
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Inter...
Recommendation

If proposals are highly confidential or must work offline, replace remote font links with local fonts or remove external font loading before sending.