bidding-tracker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The tool matches its bid-tracking purpose, but it should be reviewed because managers may be able to see projects outside their scope and fuzzy project matching can change the wrong bid record.
Review this skill before installing in a shared team environment. If you use it, prefer exact project numbers, confirm every status-changing action, and fix the manager query bug so users cannot view projects outside their responsibility. Avoid placing confidential secrets in tender files or profile prompts used for evaluation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A team member who knows or guesses a project number may be able to view other bid records, including budgets, contacts, procurement parties, deadlines, and results.
An exact project-number lookup returns immediately before the manager role filter is added, so a manager using an exact project number can receive a project record outside their assignment.
if keyword:
exact = conn.execute("SELECT * FROM projects WHERE project_no = ?", (keyword,)).fetchone()
if exact:
...
return [dict(zip(cols, exact))]
...
if role == 'manager' and name:
sql += " AND project_manager = ?"Apply role and assignment filters before returning exact matches, and require authenticated user context for all project detail lookups.
A vague project name could cause the agent to mark the wrong bid as purchased, sealed, cancelled, or otherwise advanced in the workflow.
The skill resolves a project by exact number or fuzzy name fragment and then updates that project's status, with no visible ambiguity check or confirmation if multiple names match.
"SELECT id FROM projects WHERE project_no = ? OR project_name LIKE ?", (keyword, f"%{keyword}%")).fetchone()
...
run_script('update_project.py', ['--id', str(project_id), '--field', 'status', '--value', status_value])Require exact project numbers for mutations, or list all matches and ask the user to confirm before any state-changing action, especially cancellation and result entry.
Sensitive tender documents or company qualification profiles may be exposed to the model context, and document text could influence the agent's analysis if treated too authoritatively.
Tender document text and company profile context are intentionally placed into the model context for analysis.
LLM 收到响应后,应将 `analysis_prompt` 作为分析框架指令,`profiles` 作为投标主体战略资产库上下文,`document_text` 作为待分析的招标文件原文
Use this only with intended tender files, avoid putting secrets in profiles, and treat tender-document contents as data rather than instructions.
Users have less external provenance information to verify where the code came from, even though the provided artifacts do not show hidden downloads or obfuscated behavior.
The package provenance is limited, while SKILL.md still declares a local editable pip install for the required `bidding-tracker` binary.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Install only from a trusted workspace or reviewed repository, and ensure the packaged code matches the reviewed artifacts.