Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Estimate Builder
v1.0.0建设工程项目估算编制系统。生成包含人工费、材料费、机械费、分包费、其他费的详细造价分解表,符合GB/T 50500-2024计价标准。
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be an instruction-only estimator for GB/T 50500-2024 and includes Python sample code, which explains the python3 requirement. However, the package metadata (claw.json and _meta.json) shows different owner IDs and version numbers than the registry metadata, and claw.json declares a 'filesystem' permission even though there are no code files that would clearly need broad filesystem access. These inconsistencies suggest the declared capabilities/permissions are not fully aligned with the stated purpose.
Instruction Scope
The SKILL.md and instructions.md focus on building and validating estimates and include code snippets using pandas and DataFrame import/export methods. The runtime instructions themselves do not explicitly instruct reading arbitrary system files or exfiltrating data, but the DataFrame import/export examples imply file or data handling. There are inconsistent default rates between instructions.md (15% overhead / 10% profit / 5% contingency) and SKILL.md code (管理费 10%, 利润 7%, 规费 5%, 税金 9%), which is a functional inconsistency that could confuse users or agents following the skill.
Install Mechanism
This is instruction-only with no install spec and no downloaded artifacts, which is lower risk. The skill declares python3 as a required binary (consistent with included Python examples) but does not require or declare pandas or other Python packages that the examples reference.
Credentials
The skill does not request environment variables, credentials, or config paths. That is proportionate for an estimation assistant that doesn't integrate with external services.
Persistence & Privilege
always:false and user-invocable:true (normal). However, claw.json includes a 'filesystem' permission which would permit reading/writing files if enforced by the platform; the registry metadata and SKILL.md do not justify or explain why general filesystem access is needed. Also ownerId/version mismatches across files raise supply-chain provenance concerns about who controls the skill and whether it was tampered with.
What to consider before installing
Do not install yet. Ask the publisher to explain/resolve these points before proceeding: (1) Confirm the publisher/owner identity (ownerId mismatch between registry and _meta.json/claw.json). (2) Explain why 'filesystem' permission is declared and what files (if any) the skill will read or write; refuse or restrict filesystem access unless explicitly required. (3) Clarify runtime requirements: the skill lists python3 but references pandas in code—confirm whether the skill will execute code locally and what Python packages are needed. (4) Reconcile inconsistent default markup/fee rates between instructions.md and SKILL.md so the agent behavior is predictable. (5) Verify the homepage/source (https://datadrivenconstruction.io) and request a signed release or repository link for the code. If you proceed, limit permissions (deny filesystem if possible), test with non-sensitive example data, and monitor for unexpected file access.Like a lobster shell, security has layers — review code before you run it.
latestvk975pxr32s7vernp4hh6n5zwex848zsm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
OSmacOS · Linux · Windows
Binspython3