Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Freelance Proposal Writer Pro
v1.0.1AI-powered skill that generates, analyzes, and optimizes personalized freelance proposal drafts for higher client conversion rates.
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README/SKILL.md repeatedly claims 'AI-powered' generation and documents an apiKey in config.json, but the provided index.js performs only local template substitution and simple heuristics — there are no LLM or network calls. The package/skill names also differ across files (package.json uses 'freelance-proposal-writer-pro', test.js and clawhub.json expect 'freelance-proposal-writer'), which is inconsistent with the stated publishing/packaging intent.
Instruction Scope
SKILL.md and README instruct creating ~/.freelance-proposal/config.json with an apiKey and claim OpenClaw integration (exported generateProposal), but index.js does not read any config file, environment variables, or implement exported functions for programmatic use. The CLI commands described mostly match index.js, but the 'AI' and config instructions exceed what the runtime actually does.
Install Mechanism
There is no install spec in the registry metadata, but SKILL.md suggests 'npm install -g freelance-proposal-writer'. The repository includes a valid package.json and CLI entrypoint. There are no install scripts in package.json and no downloads from external URLs in the code, which lowers direct install risk — however naming mismatches could result in installing an unexpected package name/version from registries.
Credentials
The skill documentation and SKILL.md suggest an apiKey and config options (and README mentions autoSave/statsTracking), but the code does not require or use any environment variables or credentials. Requesting or entering an API key would be unnecessary for the current code and could risk exposing secrets for no reason; the declared requirements in the registry show no required env vars, adding to the mismatch.
Persistence & Privilege
The skill does not request special privileges, does not set always:true, and contains no code that modifies other skills or system-wide configs. It writes proposal files to the current directory only when --save is used, which is proportionate to its stated purpose.
What to consider before installing
This package appears non-malicious but sloppy/unfinished: it claims 'AI' capabilities and instructs you to add an apiKey/config, yet the code only does local template substitution and doesn't read that config or call any external service. Also several metadata fields are inconsistent (package name/version vs tests and clawhub.json), which suggests the author copied templates and didn't finish validation. Before installing or providing any credentials: 1) Ask the publisher for the canonical source (Git URL or npm package name) and confirm whether an external AI/LLM service is actually used. 2) Do not paste API keys or secrets into config files unless you confirm the code needs them and the network endpoints are trustworthy. 3) If you test locally, inspect package.json for install scripts and run the CLI in a sandbox or VM first. 4) Consider forking and fixing the metadata/tests or wait for a published, reconciled release from a known author. If you need an actual AI-backed proposal generator, prefer a package that clearly documents and shows network/LLM usage and reviews its privacy/credentials handling.Like a lobster shell, security has layers — review code before you run it.
freelancevk97d0je137n19gbyfct8bhkvx583dz55latestvk97d0je137n19gbyfct8bhkvx583dz55proposalvk97d0je137n19gbyfct8bhkvx583dz55writingvk97d0je137n19gbyfct8bhkvx583dz55
License
MIT-0
Free to use, modify, and redistribute. No attribution required.