Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Estimate Builder
v1.0.1Build construction project estimates. Generate detailed cost breakdowns with labor, materials, equipment, and overhead.
⭐ 0· 527·0 current·0 all-time
by@qmohd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the instruction content (collect line items, apply markups, produce summaries) are coherent with an estimating tool. The SKILL.md embeds Python example code and the manifest requires python3, which is reasonable for a code-based assistant. However the manifest metadata (ownerId, slug, and version) in included files does not match the registry metadata provided, which is an inconsistency worth investigating.
Instruction Scope
Runtime instructions ask the agent only to gather project details, validate line items, calculate category summaries and markups, and present results. There are no instructions to read unrelated system files, access environment secrets, or exfiltrate data to external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to run from a remote URL — lowest-risk install mechanism. It does include Python example code but does not automatically install anything.
Credentials
The skill declares a permissions entry of ["filesystem"] in claw.json, but requires no environment variables or config paths. The SKILL.md does not clearly require filesystem access (it mentions 'export capabilities' in the description but gives no explicit export instructions). Granting filesystem access would allow reading/writing files beyond the skill's evident needs; this is disproportionate unless you require local export of estimate files.
Persistence & Privilege
always is false and the skill is user-invocable; autonomous invocation is allowed (platform default). There is no request to modify other skills or system-wide configs. No extra persistence or privileged flags are present.
What to consider before installing
This skill appears to implement exactly what it claims (building estimates), but there are a few red flags to check before installing:
- Verify origin and ownership: the registry metadata and the included files contain different ownerId/slug/version values. Confirm the publisher and homepage (https://datadrivenconstruction.io) are trustworthy.
- Review the need for filesystem access: claw.json requests filesystem permission. If you don't need local export/import of estimate files, avoid granting filesystem permission. If you do grant it, prefer running in a restricted environment or sandbox.
- Inspect/preview the embedded Python code before executing it locally. The skill is instruction-only, but the agent could be instructed to execute code snippets — make sure you understand what will run.
- Because there are no required credentials, the immediate exposure of secrets is low, but arbitrary filesystem access can still leak sensitive files. Consider testing in an isolated account or VM.
If you want a safer install: ask the skill author to remove the filesystem permission (or document precisely why export requires it), and resolve the metadata inconsistencies so you can verify the publisher.Like a lobster shell, security has layers — review code before you run it.
latestvk97bsh0pa6xk3fyvbksm15mcgs81nxg6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
OSmacOS · Linux · Windows
Binspython3