ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bid Watcher

v1.1.0

投标情报监控系统。监控锂电池/储能/装配段行业招标信息,追踪4家竞争对手(无锡先导、海目星、赢合科技、联赢激光)的投标动态。每周自动采集、生成表格报告并发送邮件。

0· 26·0 current·0 all-time
by@richardcoder849

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for richardcoder849/bid-watcher.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Bid Watcher" (richardcoder849/bid-watcher) from ClawHub.
Skill page: https://clawhub.ai/richardcoder849/bid-watcher
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install richardcoder849/bid-watcher

ClawHub CLI

Package manager switcher

npx clawhub@latest install bid-watcher
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (monitor bids, produce weekly reports, email them) align with the included scripts: search_bids.py, parse_bids.py, enrich_*.py, generate_report.py and send_email.py. The code implements scraping, enrichment, reporting and emailing as claimed.
Instruction Scope
SKILL.md instructs running the bundled Python scripts and configuring SMTP env vars — consistent with the code. The scripts scrape many external industry sites and a hard-coded CSV_LINKS list of URLs (expected for this purpose). Note: parse/search code disables SSL verification (verify_mode = CERT_NONE), which weakens transport security when fetching pages and may increase risk of man-in-the-middle content injection; this is an implementation choice that is unrelated to the stated high-level purpose and should be justified.
!
Install Mechanism
The skill has no install spec but includes multiple Python scripts that require a Python runtime. generate_report.py optionally depends on openpyxl (it prints a warning if missing). Registry metadata declared no required binaries or dependencies, which is inconsistent — the skill practically requires Python and may require openpyxl to produce Excel output. Lack of declared runtime/dependency instructions is an installation/integration mismatch.
!
Credentials
SKILL.md lists SMTP credentials (BID_SMTP_HOST, BID_SMTP_PORT, BID_SMTP_USER, BID_SMTP_PASS, BID_REPORT_TO) as required, and send_email.py reads exactly those env vars. Requesting an SMTP username/password is proportionate for emailing reports. However, the registry metadata declared no required env vars — that mismatch is concerning because sensitive SMTP credentials are expected but not surfaced by the publisher metadata. Verify you are comfortable supplying an email account password and prefer using a dedicated/send-only account or app-specific password.
Persistence & Privilege
The skill is not flagged always:true and does not modify other skills or agent settings. It runs on-demand or via cron as described; autonomous agent invocation remains default but is not combined with additional elevated privileges here.
What to consider before installing
What to check before installing: - Metadata mismatch: the registry claims no required binaries or env vars, but the SKILL.md and scripts require a Python runtime and SMTP credentials. Expect to run these as local Python scripts; confirm you have Python and any optional libraries (openpyxl) installed. - SMTP credentials: the skill needs BID_SMTP_USER and BID_SMTP_PASS to send emails. Use a dedicated send-only account or an app-specific password; do not reuse high-privilege personal credentials. Confirm the REPORT_TO list and recipients before enabling automated sends. - Disabled SSL verification: parse_bids.py and search_bids.py intentionally disable SSL verification when fetching URLs. This increases the risk of fetching manipulated content if an attacker can intercept your network traffic. If possible, run in an environment with trustworthy network routing or modify the code to enforce SSL verification. - External scraping: the skill fetches many third-party URLs (industry sites and government portals). Ensure you are allowed to scrape those sources; consider politeness (rate limits) and legal/contract constraints. Also review CSV_LINKS to ensure no unexpected endpoints are present. - Secrets handling: the code reads SMTP creds directly from environment variables and does not exfiltrate them elsewhere in the bundle, but still review logs and deployment to avoid accidental leakage (e.g., check cron, CI logs, or backups where environment variables could be captured). - Operational safety: test in a sandbox first. Run scripts locally with a dry-run (send_email supports a '--dry-run' path) and inspect generated data files under data/ before enabling automated cron. If you want to proceed: update the skill metadata to list Python and the SMTP env vars, create a dedicated SMTP account, lock down network egress if needed, and consider enabling SSL verification in the fetch routines.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eajgk0wt8bf1araj0ewywr185fwx2
26downloads
0stars
2versions
Updated 5h ago
v1.1.0
MIT-0
@richardcoder849
latest
Download

投标情报监控 Skill

目标公司

编号公司名称关键词
1无锡先导智能装备股份有限公司先导智能
2海目星激光科技集团股份有限公司海目星
3深圳市赢合科技股份有限公司赢合科技
4深圳市联赢激光股份有限公司联赢激光

监控关键词

  • 锂电池
  • 储能
  • 装配段
  • 锂电设备
  • 电池生产设备

信息来源

  1. 搜索引擎: Bing 搜索(按关键词 + "招标" 搜索)
  2. 待扩展: 政府采购平台、招标雷达、剑鱼标讯 API

采集字段

每个招标机会记录以下字段:

  • 投标时间: 招标截止时间/开标时间
  • 预算: 项目预算金额
  • 公司名称: 招标方/采购方
  • 公司背景: 采购方主营业务、规模
  • 是否有采购历史: 之前是否采购过同类设备
  • 历史供应商: 之前在哪家供应商采购的
  • 原文链接: 招标公告链接
  • 发现时间: 抓取时间
  • 竞争公司: 关联哪家竞争公司
  • 优先级: S/A/B/C 四级评分
  • 相关性: 高/低

工作流程(TaskFlow)

[每周定时触发]
     ↓
[Step 1] search_bids.py     搜索招标信息(行业平台)
     ↓
[Step 2] enrich_bids.py    提取公司/预算 + 优先级评分
     ↓
[Step 3] generate_report.py  生成周报(Markdown + Excel)
     ↓
[Step 4] 历史存档            data/history/

文件结构

bid-watcher/
├── SKILL.md
├── flows/
│   └── bid-monitor.lobster   # TaskFlow 定义
├── scripts/
│   ├── search_bids.py        # 搜索招标信息
│   ├── enrich_bids.py        # 提取公司/预算 + 优先级评分
│   ├── generate_report.py   # 生成周报(Markdown/Excel)
│   └── send_email.py        # 发送邮件
└── data/
    ├── bids_raw_YYYYMMDD.json         # 原始搜索结果
    ├── bids_parsed_enriched_YYYYMMDD.json  # 补充背景后数据
    ├── bid_report_W*.md            # 周报 Markdown
    ├── bid_report_W*.xlsx        # 周报 Excel
    └── history/
        └── week_YYYYWW.json            # 每周完整数据存档

优先级评分规则

维度加分说明
有预算金额+1
大预算(≥1000万)+1
公司在已知背景库中+1
有明确投标时间+1
标题含"储能"/"锂电"/"动力电池"+1
竞争公司自身招标-2排除

最终评分:S(≥4分) / A(3分) / B(2分) / C(≤1分)

使用方式

# 搜索招标信息
python scripts/search_bids.py

# 提取公司/预算 + 优先级评分
python scripts/enrich_bids.py

# 生成报告(Excel格式,默认)
python scripts/generate_report.py --format excel

# 生成报告(Markdown + Excel)
python scripts/generate_report.py --format both

参数

参数说明默认值
--format输出格式excel

自动触发

  • 手动触发: "运行投标监控" 或直接执行 python scripts/*.py
  • 自动: 每周一 09:00 自动执行,通过 cron 调度

邮件配置

需要配置以下环境变量:

  • BID_SMTP_HOST: 邮件服务器(如 smtp.gmail.com)
  • BID_SMTP_PORT: 端口(如 587)
  • BID_SMTP_USER: 用户名
  • BID_SMTP_PASS: 密码
  • BID_REPORT_TO: 收件人邮箱(多个用逗号分隔)

配置示例:

export BID_SMTP_HOST=smtp.gmail.com
export BID_SMTP_PORT=587
export BID_SMTP_USER=your-email@gmail.com
export BID_SMTP_PASS=your-app-password
export BID_REPORT_TO=team@company.com

状态输出

采集完成后输出:

  • 本周新发现机会数量
  • 各竞争公司相关机会数
  • 优先级分布(S/A/B/C 各多少条)
  • 高相关招标数量
  • 报告文件路径
  • 邮件发送状态

Comments

Loading comments...