ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Client Project Manager

v1.0.0

Manage freelance clients, projects, invoices, and communications. Use when tracking client work, creating invoices, sending updates, managing deadlines, or organizing freelance business operations.

0· 880·3 current·3 all-time
bySean Wyngaard@seanwyngaard
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the runtime instructions: create/read JSON files under ./freelance-data, generate invoices and updates, log time, and display a dashboard. No external services, credentials, or unrelated binaries are required.
Instruction Scope
SKILL.md confines operations to a local directory (./freelance-data) and describes only reading/writing JSON, generating Markdown/HTML invoices, and creating update emails. That scope is appropriate. One note: the skill header lists allowed-tools including Bash, which grants the agent the ability to run arbitrary shell commands; the SKILL.md itself does not instruct accessing system files outside the working directory, but the presence of Bash as an allowed tool increases the runtime capability and should be considered when granting tool permissions.
Install Mechanism
No install spec and no code files are present; this is instruction-only so nothing is written to disk by an installer. That is the lowest-risk posture for install mechanism.
Credentials
The skill declares no required environment variables, credentials, or config paths. It optionally reads freelance-data/config.json (local workspace config) for user/business name and payment preferences, which is proportionate to its function.
Persistence & Privilege
always is false (no forced permanent inclusion). The skill can be invoked autonomously (default platform behavior) but does not request elevated/system-wide privileges or modify other skills' settings.
Assessment
This skill appears coherent and limited to managing local freelance data under ./freelance-data. Before installing, consider: 1) Run it in a dedicated project folder or container so its file reads/writes are contained. 2) Review or create freelance-data/config.json yourself (don’t let the skill auto-read unknown config files). 3) Note that the skill lists Bash as an allowed tool — if your platform lets you restrict tools, only enable the file read/write helpers if you don't want the agent to run arbitrary shell commands. 4) Back up existing data before first run. If you want extra caution, test in an isolated environment (VM/container) first.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bd6c380t06qk1m5wcmhxvx8128g8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments