Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Freelancer Bidder
v1.0.0Scan Freelancer.com for new projects matching your skills, draft personalized bid proposals, and track bidding history. Use when you want to find freelance j...
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill says it will search Freelancer.com and submit bids, but it declares no required credentials, API keys, or binaries. Submitting bids or using Freelancer's API normally requires account authentication; the absence of any declared auth or guidance is inconsistent. Additionally, metadata files disagree on owner/version/homepage, which weakens provenance.
Instruction Scope
SKILL.md instructs the agent to 'Fetch matching active projects via Freelancer API / web search' and to 'Submit and log it' but gives no concrete, scoped steps for authentication, rate limits, or what 'submit' means (API call vs browser automation). It also instructs maintaining and updating a bids.md file in the workspace (writing data locally), which is reasonable for tracking but combined with unspecified external submission is vague and could lead to unintended actions.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is written to disk by an installer, which is low-risk for installation mechanics.
Credentials
No environment variables or credentials are declared, yet the skill's functionality (especially submitting bids) would reasonably require Freelancer account credentials or an API key. The absence of any declared auth is disproportionate to the claimed capability and creates ambiguity about how authentication or posting would be handled.
Persistence & Privilege
The skill does not request permanent/injected presence (always: false) and does not declare modifications to other skills or system-wide settings. Writing a bids.md in the workspace is normal for a task-tracking feature, but it should be done only with user consent.
What to consider before installing
What to consider before installing:
- Provenance: metadata inside the package (ownerId and version) doesn't match the registry listing and the skill claims no homepage in the registry despite skill.yaml containing a homepage — this mismatch reduces trust. Ask the publisher to confirm identity and provide a reputable homepage or repo.
- Authentication: the skill claims it will 'fetch' and 'submit' bids on Freelancer.com but declares no required API key or account credentials. Do not provide your Freelancer account credentials unless you fully trust the skill's author and understand exactly how credentials are stored and used. Prefer read-only use (searching) until authentication/submission flows are clearly documented.
- Submission behavior: clarify whether the agent will actually post bids on your behalf or only draft proposals for you to manually submit. If automatic submission is supported, require explicit, per-action consent and logging.
- Test safely: if you try it, use a throwaway Freelancer account first and monitor what files the agent writes (bids.md).
- What would change the assessment: clear, consistent metadata; explicit declaration of required credentials (e.g., FREELANCER_API_KEY or instructions saying 'you must connect your Freelancer account via OAuth'); and detailed, auditable submission steps (API endpoints, scopes, and where credentials are stored) would make the skill coherent and could move the verdict toward benign.Like a lobster shell, security has layers — review code before you run it.
latestvk970w96z1n5ek68g0svf4ybjhx83pnd1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.