ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Freelancer Bidder

v1.0.0

Scan Freelancer.com for new projects matching your skills, draft personalized bid proposals, and track bidding history. Use when you want to find freelance j...

0· 57·0 current·0 all-time
by@onlyloveher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to scan Freelancer.com, draft proposals, and 'submit and log' bids. It reasonably needs only read/search access plus local file writes for a bids.md log. However, the SKILL.md explicitly mentions using the Freelancer API and (in an example) submitting bids, yet the skill declares no required credentials or config for account access. Submitting bids programmatically normally requires authentication; that mismatch is incoherent and should be clarified.
!
Instruction Scope
Runtime instructions tell the agent to fetch matching projects via 'Freelancer API / web search', rank results, generate proposals, and maintain a local bids.md. The instructions do not tell the agent to read any unrelated files or secrets, which is good, but they are vague about whether the agent will actually perform automated submissions to Freelancer (which would require account credentials and clearer steps). 'Web search' / scraping is also unspecified (rate limits, user account use, or consent).
Install Mechanism
This is instruction-only (no install spec, no code files to run), so there is no installer or downloaded code to evaluate — lowest install risk.
!
Credentials
The skill declares no required environment variables or primary credential. That is reasonable for read-only web scraping and local logging, but inconsistent with its mentions of using the Freelancer API and submitting bids. If the skill needs to post bids or use authenticated API endpoints, it should explicitly declare which credentials it needs and why. Otherwise there is ambiguity about how submissions would occur and where credentials (if any) would be used or stored.
Persistence & Privilege
The skill does not request always: true and is user-invocable only. It writes a local bids.md as part of its workflow, which is expected and limited in scope. It does not request system-wide or cross-skill config changes.
What to consider before installing
Before installing, ask the skill author to clarify: (1) Will the agent actually submit bids on Freelancer on your behalf? If so, what credentials are required and where/how are they stored? (2) If the Freelancer API is used, which endpoints and what auth scope are needed — the skill should declare required env vars explicitly. (3) If scraping is used, confirm compliance with Freelancer's terms and any rate limits. Also note the package metadata inconsistencies (ownerId/version/homepage differ) — request source code or a reputable homepage and prefer only granting credentials with minimal scope (or use a throwaway/test account). If you proceed, monitor what the agent writes to bids.md and avoid providing full account credentials until you verify behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk9778aksf2gpj23t040bxxsn3983b3ax

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments