ClawHub
Back to skill
v1.0.1

Freelance Proposal Writer Pro

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:59 AM.

Analysis

The included code looks like a simple local proposal-template CLI, but the documentation asks for an unspecified API key and directs users to globally install a differently named npm package, so it needs review before installation.

GuidanceBefore installing, verify the exact npm package name and publisher, avoid entering any API key until its provider and permissions are clearly documented, and understand that the reviewed code appears to generate proposals from local templates rather than a real AI service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
npm install -g freelance-proposal-writer

The documented global npm install points to `freelance-proposal-writer`, while the supplied package metadata names the reviewed package `freelance-proposal-writer-pro`; following the documented install could pull unreviewed external code rather than the artifact under review.

User impactA user could install and run a different npm package than the one represented by these artifacts.
RecommendationOnly install a verified package whose name, repository, and ClawHub artifact match; the publisher should align install instructions, package metadata, and registry install specs.
Human-Agent Trust Exploitation
SeverityMediumConfidenceMediumStatusConcern
index.js
let proposal = template.template; ... proposal = proposal.replace(/{{clientName}}/g, options.clientName || 'Hiring Manager')

The implementation shown generates proposals through static template replacement, while the documentation repeatedly markets the skill as AI-powered with Pro subscription features; this mismatch can mislead users about what the tool actually does.

User impactUsers may rely on or pay for the skill expecting real AI analysis and generation, when the reviewed code appears to provide template-based output.
RecommendationTreat the current artifact as a template CLI unless the publisher supplies matching AI integration code, provider documentation, and accurate feature descriptions.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
README.md
创建 `~/.freelance-proposal/config.json`: { "apiKey": "your-api-key", ... }

The skill asks users to store an unspecified API key in a persistent config file, while the registry metadata declares no required credentials and the supplied code does not define which provider or permission scope the key needs.

User impactUsers may unnecessarily place a secret API key on disk without knowing what service it belongs to or how it will be used.
RecommendationDo not add an API key unless the provider, scope, storage location, and usage are clearly documented; the publisher should declare any required credential explicitly.