ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gov Contracts

v1.0.0

SAM.gov contract opportunities, USAspending awards, and entity lookup. 3 tools for government contracting.

0· 418·1 current·1 all-time
byMartin@martc03
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (SAM.gov, USAspending, entity lookup) align with the provided tools and parameters. Requiring the mcporter binary is consistent with registering an MCP server for these tools.
!
Instruction Scope
The SKILL.md instructs the agent to add and use a remote MCP at https://gov-contracts-mcp.apify.actor/mcp. All query input and returned results would transit that third‑party server; the instructions do not request local files or extra env vars, but they do direct data to an external host that is not an official government domain.
Install Mechanism
This is an instruction‑only skill with no install spec or code to write to disk, which is lower risk. The only required binary is mcporter, which is reasonable for registering an MCP transport.
Credentials
The skill requests no environment variables, credentials, or config paths — proportional to the described read-only data lookup functionality.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request elevated persistent privileges or to modify other skills' configs.
What to consider before installing
This skill appears to do what it says, but it routes queries through a third‑party MCP hosted on Apify (gov-contracts-mcp.apify.actor). Before installing: (1) Confirm you trust the remote host — review the GitHub repo and any Apify actor source to verify it simply proxies official government APIs. (2) Avoid sending any sensitive or proprietary text in queries (UEIs, bid strategy, or non‑public docs) because the third party could log them. (3) Verify mcporter is a legitimate binary from a trusted source and that your environment already has it or you install it safely. (4) If privacy is important, consider querying official SAM.gov and USASpending APIs directly or self‑hosting an MCP proxy you control. If you want a lower risk decision, provide the GitHub repo contents or the Apify actor source for a more detailed review.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f11jw2cyrbj50xpwaajrn6981ygjc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binsmcporter

Comments