Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tender Writer
v1.0.0光伏/弱电智能化投标技术方案生成器。根据招标文件自动生成Word格式投标技术方案。支持:光伏EPC、光伏EMC、光伏代运维、弱电智能化工程。触发词:投标、标书、技术方案、招标文件。
⭐ 0· 66·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (tender/technical proposal generator for PV and weak-electrical projects) matches the SKILL.md content: parsing bid documents, producing Word files from templates, and supporting various PV/weak-electrical templates. That is coherent with the skill's purpose. However, the SKILL.md explicitly states it will use python-docx to generate Word documents and will send results via Feishu — runtime capabilities that would normally require installed Python packages and messaging credentials, which are not declared in the skill metadata.
Instruction Scope
Instructions tell the agent to: (1) accept user-provided PDF/Word bid documents and automatically extract key information, (2) generate .docx files using python-docx, (3) save outputs to a tender/ directory, and (4) send results via Feishu. Reading user-supplied files and writing output locally is expected, but the instructions assume availability of python-docx and an authenticated Feishu sender without specifying where credentials come from or confirming user consent for transmission. This gap grants the agent discretion to access files and transmit them externally (via Feishu) in ways not fully specified.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — the lowest install risk. There are no download URLs or install scripts to evaluate.
Credentials
The skill requires access to tooling (python-docx) and an external messaging service (Feishu) to perform its stated tasks, but it declares no required environment variables, tokens, or config paths. In practice, sending via Feishu requires an API token/webhook or a platform-integrated messenger; generating Word files requires python and python-docx. The absence of declared credentials or dependencies is a mismatch and prevents a clear security assessment of where files will be transmitted and what secrets (if any) the skill will need.
Persistence & Privilege
The skill does not request always:true, does not claim any special persistent installation, and does not declare modifications to other skill configs. It will save outputs to a local tender/ directory per its instructions, which is a limited and stated file-write behavior.
What to consider before installing
This skill appears to do what it claims (generate Word-format tender proposals), but it omits important runtime details. Before installing or trusting it: 1) Confirm where python-docx (and Python) will run — the skill assumes that package is available; otherwise generation will fail. 2) Ask the author how Feishu delivery is implemented and whether any Feishu API tokens, webhooks, or credentials are required — do not provide general secrets without knowing the endpoint. 3) Verify where the skill writes files (the tender/ directory) and whether those outputs might be automatically transmitted to external accounts. 4) If you plan to feed sensitive bid documents, test the skill in a sandbox or isolated environment first. 5) Prefer skills with a known source or homepage and explicit declarations of required dependencies and env vars; request the missing metadata (required packages, any env vars/webhooks, and delivery endpoints) before using in production.Like a lobster shell, security has layers — review code before you run it.
bidvk975njnvn1a0wqqd58ahw8bnh584jcaslatestvk975njnvn1a0wqqd58ahw8bnh584jcasproposalvk975njnvn1a0wqqd58ahw8bnh584jcaspvvk975njnvn1a0wqqd58ahw8bnh584jcastendervk975njnvn1a0wqqd58ahw8bnh584jcaswordvk975njnvn1a0wqqd58ahw8bnh584jcas
License
MIT-0
Free to use, modify, and redistribute. No attribution required.