Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Proposal Copilot
v2.0.0Generate Upwork/freelance bid materials from a job description, including English proposal draft, bid-worthiness score, pricing suggestion (fixed/hourly), mi...
⭐ 0· 296·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (generate freelance proposals, scoring, pricing, follow-ups) matches the code's functionality. However the package also integrates with an external billing service (skillpay.me) even though SKILL.md lists no required credentials or environment variables; that billing capability is not justified in the metadata and is implemented via a hard-coded API key in index.js.
Instruction Scope
SKILL.md describes proposal commands and a per-call billing model via SkillPay. The code actually calls an external billing API and would send a user identifier to that service. The SKILL.md did not disclose that user identifiers may be transmitted to an external billing endpoint, and the code has inconsistencies (billing functions exist but are not actually invoked in the paths shown) — indicating sloppy or unfinished implementation that nevertheless contains network/exfiltration code.
Install Mechanism
No install spec is provided and this is effectively an instruction-only skill with a single JS file. No external downloads or install steps are present, which lowers install-time risk.
Credentials
The skill declares no required environment variables, yet index.js contains a hard-coded BILLING_API_KEY and SKILL_ID. Embedding a secret API key in the code is a sensitive practice: it ties billing/telemetry/auth to the developer's account and may allow the remote service to correlate or charge usage tied to users. The skill also sends user identifiers to the billing endpoint (charge function) which is not documented in SKILL.md's privacy notes.
Persistence & Privilege
The skill does not request permanent 'always' presence, does not declare system config paths, and does not attempt to modify other skills or system-wide settings. No extra privileges are requested.
What to consider before installing
This skill appears to do what it says (generate proposal text and pricing), but exercise caution before installing: 1) index.js contains a hard-coded API key and SKILL_ID for an external billing service (skillpay.me). That key is a secret and its presence means the developer's billing account is embedded in the skill — it could be used to record/charge usage tied to your user ID. 2) The SKILL.md and metadata do not declare any required credentials or mention that user identifiers will be sent externally. 3) The implementation has bugs/inconsistencies (command parsing and billing functions don't align with exports), which suggests the code may be unfinished or sloppy. Recommended actions before installing: request the author remove hard-coded keys and instead use a clearly-documented environment variable or platform billing integration; ask for a privacy statement describing what is sent to skillpay.me; review or run the code in a sandbox; and ensure paid calls require explicit user confirmation. If you do not trust the billing endpoint or the developer, do not install.Like a lobster shell, security has layers — review code before you run it.
billingvk9747p0z5wn12328z7as6wwx7s82a171latestvk9747p0z5wn12328z7as6wwx7s82a171proposalvk9747p0z5wn12328z7as6wwx7s82a171upworkvk9747p0z5wn12328z7as6wwx7s82a171
License
MIT-0
Free to use, modify, and redistribute. No attribution required.