Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Design Norm Quantity
v3.3.5度量衡测不准关键因子配比估量估价系统 v5.0。整合量向法(QDV)+神经网络拓扑(MEG-Net)+目标锁定法+8大AI算法,目标精度±3%。这是把估量估算系统误差做到3%的行业第一人解决方案。
⭐ 0· 101·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description describe a construction-quantity estimation engine and the repository contains many estimator, ratio and report-generator scripts and normative JSON data that align with that purpose. However the registry metadata labels this as 'instruction-only' with no install spec while the package actually includes 33+ Python scripts and reference data — an inconsistency in packaging that reduces trust and should be explained by the publisher.
Instruction Scope
SKILL.md lists and instructs running many scripts (estimators, neural network engine, crawler, db_connector, report generators). The instructions do not declare network, DB, or credential usage explicitly, yet included files like crawler.py, download_international_qs.py and db_connector.py suggest network access and local persistence. The runtime guidance is high-level and does not limit what external endpoints the crawler may contact or what local paths the DB connector will use — this broad runtime discretion is a potential exfiltration or misuse vector.
Install Mechanism
No install spec or external downloads are declared (lower supply-chain risk), but the skill ships many executable code files that will be placed on disk when installed. There are no URLs or third-party package installs shown, which is good, but the included scripts will be executed by the agent environment and should be audited first.
Credentials
The skill declares no required environment variables or credentials. That is plausible for a local estimator using bundled JSON and SQLite, but inconsistent with presence of crawler and db_connector code that may expect network credentials or external DB endpoints. Absence of declared secrets makes it unclear how external data access is authenticated and whether the code hardcodes endpoints or credentials.
Persistence & Privilege
Flags like always:false and normal autonomous invocation are set. The skill does include a db_connector and references a local SQLite database in documentation, which implies local persistence, but it does not request elevated platform privileges or force-enable itself. Still, autonomous invocation combined with network-capable scripts increases blast radius if the code is malicious.
What to consider before installing
This package largely does what it claims (many estimator scripts and normative data), but exercise caution because: (1) the skill source/homepage is missing and packaging metadata contradicts the actual bundle (claims instruction-only but contains many scripts); (2) there are crawler and DB connector scripts that may contact external sites or write local data — review those files for hardcoded endpoints, credential usage, or telemetry calls before running; (3) run the code in an isolated environment (VM or sandbox) and avoid supplying any production credentials; (4) ask the publisher for a canonical source/repo, license, and a short security note explaining what the crawler accesses and what persistent files the skill creates. If you can't verify those answers, treat it as untrusted code and don't run it on sensitive systems.Like a lobster shell, security has layers — review code before you run it.
cost-estimation aecom-paces wsp rics-nrm international-qs monte-carlo uncertainty engineering japanese-constructionvk9706k3v78w3vw6nzsnnp885w984515ecost-estimation rics-nrm international-qs monte-carlo uncertainty engineeringvk971akfjn8rkvqk2bhchhw85pn8457k5cost-estimation uncertainty monte-carlo engineeringvk972pjh7vt2mt9988wfhtr85hs8452gslatestvk971e86p084pk8c4n02pffng3d849fvn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.