ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proposal Copilot

v2.0.0

Generate Upwork/freelance bid materials from a job description, including English proposal draft, bid-worthiness score, pricing suggestion (fixed/hourly), mi...

0· 364·1 current·1 all-time
by@jeterwang
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (generate freelance proposals, scoring, pricing, follow-ups) matches the code's functionality. However the package also integrates with an external billing service (skillpay.me) even though SKILL.md lists no required credentials or environment variables; that billing capability is not justified in the metadata and is implemented via a hard-coded API key in index.js.
!
Instruction Scope
SKILL.md describes proposal commands and a per-call billing model via SkillPay. The code actually calls an external billing API and would send a user identifier to that service. The SKILL.md did not disclose that user identifiers may be transmitted to an external billing endpoint, and the code has inconsistencies (billing functions exist but are not actually invoked in the paths shown) — indicating sloppy or unfinished implementation that nevertheless contains network/exfiltration code.
Install Mechanism
No install spec is provided and this is effectively an instruction-only skill with a single JS file. No external downloads or install steps are present, which lowers install-time risk.
!
Credentials
The skill declares no required environment variables, yet index.js contains a hard-coded BILLING_API_KEY and SKILL_ID. Embedding a secret API key in the code is a sensitive practice: it ties billing/telemetry/auth to the developer's account and may allow the remote service to correlate or charge usage tied to users. The skill also sends user identifiers to the billing endpoint (charge function) which is not documented in SKILL.md's privacy notes.
Persistence & Privilege
The skill does not request permanent 'always' presence, does not declare system config paths, and does not attempt to modify other skills or system-wide settings. No extra privileges are requested.
What to consider before installing
This skill appears to do what it says (generate proposal text and pricing), but exercise caution before installing: 1) index.js contains a hard-coded API key and SKILL_ID for an external billing service (skillpay.me). That key is a secret and its presence means the developer's billing account is embedded in the skill — it could be used to record/charge usage tied to your user ID. 2) The SKILL.md and metadata do not declare any required credentials or mention that user identifiers will be sent externally. 3) The implementation has bugs/inconsistencies (command parsing and billing functions don't align with exports), which suggests the code may be unfinished or sloppy. Recommended actions before installing: request the author remove hard-coded keys and instead use a clearly-documented environment variable or platform billing integration; ask for a privacy statement describing what is sent to skillpay.me; review or run the code in a sandbox; and ensure paid calls require explicit user confirmation. If you do not trust the billing endpoint or the developer, do not install.

Like a lobster shell, security has layers — review code before you run it.

billingvk9747p0z5wn12328z7as6wwx7s82a171latestvk9747p0z5wn12328z7as6wwx7s82a171proposalvk9747p0z5wn12328z7as6wwx7s82a171upworkvk9747p0z5wn12328z7as6wwx7s82a171
364downloads
0stars
1versions
Updated 6h ago
v2.0.0
MIT-0
@jeterwang
billinglatestproposalupwork
Download

Proposal Copilot (MVP)

Read the user input and produce structured output for freelance bidding.

Commands

  • proposal 帮助: Show command usage
  • proposal 生成 <JD文本>: Generate full proposal package (score + proposal + pricing + followups)
  • proposal 生成 <concise|professional|sales> <JD文本>: Generate proposal in selected style (paid)
  • proposal 生成 预览 <concise|professional|sales> <JD文本>: Free preview (first lines)
  • proposal 评分 <JD文本>: Only return bid-worthiness score + reasons
  • proposal 报价 <JD文本> <fixed|hourly> [min] [max]: Return pricing suggestion (paid)
  • proposal 跟进 <客户名> <岗位简述>: Return D+1/D+3/D+7 follow-up copies (paid)

Output Rules

Always return concise, copy-paste ready text.

For proposal 生成, return JSON with keys:

  • score (0-100)
  • decision (BID|MAYBE|SKIP)
  • summary (one-line 投标建议结论)
  • reasons (array)
  • proposal_en
  • pricing
  • milestones
  • followups

Pricing Rules (MVP)

  • If JD is clear + budget reasonable + skill match high: higher recommendation.
  • If scope is vague: conservative pricing and add clarification questions.
  • For hourly mode, return recommended_rate, alt_rate_low, alt_rate_high.
  • For fixed mode, return 3 milestone split.

Score Rubric (100)

  • Budget match: 30
  • Requirement clarity: 20
  • Skill fit: 25
  • Client quality signals: 15
  • Delivery feasibility: 10

Decision threshold:

  • >=70: BID
  • 50-69: MAYBE
  • <50: SKIP

Billing

This skill must charge 0.001 USDT per paid generation call via SkillPay billing API. If insufficient balance, return payment link.

Notes

MVP focuses on speed and practical output. Do not over-explain.

Comments

Loading comments...