Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
bidding-tracker
v0.1.3军政采招投标商机管理专用工具。负责项目登记/标书采购/封标/开标/结果录入/中标统计/胜算评估,不处理合同履约、发票、报销或其他非招投标事务。
⭐ 0· 110·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, CLI and scripts all match a bid-tracking tool. However there are mismatches: registry metadata says 'No install spec' but SKILL.md metadata suggests 'pip install -e {baseDir}' and the package contains many Python files (not an instruction-only skill). README mentions enterprise WeCom notifications but the skill does not declare or require any WeCom credentials in metadata.
Instruction Scope
Runtime instructions and skill code require reading and writing local files: project DB (default {CWD}/data/bids.db), attachments directories, and optional user files under ~/.config/bidding-tracker (profiles.md, .env, evaluate_prompt.md). The evaluate flow explicitly asks the LLM to parse user-supplied documents and to read profiles.md. Loading of .env files into the process environment is performed (config.load_env), which will inject keys from user-level and CWD .env files into os.environ when they do not already exist.
Install Mechanism
No remote download/install URLs are present (the package is local source). SKILL.md metadata indicates 'pip install -e {baseDir}' which is reasonable for a Python package. The registry entry is inconsistent about 'instruction-only' vs the presence of many code files—this inconsistency should be resolved before trusting installer expectations.
Credentials
The skill declares no required environment variables or secrets, which aligns with many local CLI tools. However it will read and inject .env files (CWD/.env and ~/.config/bidding-tracker/.env) into os.environ if keys are absent from the process — this can pull sensitive values from the user's system into the tool at runtime. README/README-like text suggests WeCom integration for notifications but no credentials are declared; if additional code (not shown) sends messages to external services it would normally require API tokens, creating an undeclared credential need.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills' configs. It does write to a local SQLite DB and attachments directories (expected for its purpose) and may be invoked autonomously (default), which is the normal platform behavior.
What to consider before installing
Before installing or enabling this skill: 1) Resolve the metadata mismatch — the registry lists this as instruction-only but the package includes Python code and the SKILL.md suggests pip install; treat it as installable code, not a pure instruction. 2) Inspect ~/.config/bidding-tracker/.env and any CWD .env files — the package will load keys from those into os.environ if present; don’t keep unrelated secrets there. 3) The tool moves files you give it into attachments directories and writes to a local SQLite DB (DB_PATH default {CWD}/data/bids.db) — run it in an isolated working directory or container if you don’t want your filesystem modified. 4) README mentions WeCom notifications but no credentials are declared; locate any notification/WeCom code before enabling network access and supply credentials only if you trust the destination. 5) If you plan to let agents call this skill autonomously, consider restricting that capability (or review all code paths that might send network requests) because the skill reads local config and files. 6) If uncertain, run the package in a disposable VM/container, or ask the maintainer to: provide a consistent install spec, document any required external credentials, and confirm whether any network outbound behavior exists.Like a lobster shell, security has layers — review code before you run it.
latestvk97ckyd9renwvm8t84e48fsjax84gym9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📋 Clawdis
Binsbidding-tracker