ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Proposal Gen

v1.0.1

skill proposal gen

0· 50·0 current·0 all-time
by@zimuge-doudou
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description claim a proposal-generation skill and the code implements templates, create/list/export, and saves proposals — this is coherent. However the SKILL.md usage example ('from skill_proposal_gen import execute') does not match the package __init__.py which only exports ProposalGen. Version strings also differ (__init__='2.0' vs SKILL.md/config.json='1.0.0'). These inconsistencies indicate the package's public API/metadata is not aligned with the documentation.
Instruction Scope
SKILL.md gives a single example calling execute(action='connect') and otherwise is minimal. The implementation performs file I/O (creates a 'proposals' directory next to the module, reads/writes JSON and writes .md exports). The SKILL.md does not document this file creation/IO or the proposals directory; callers may be surprised that the skill writes files into the package directory. No network calls or secret access are present in the instructions or code.
Install Mechanism
There is no install spec (instruction-only at registry level) and code files are bundled with the skill. No external downloads or install scripts are present.
Credentials
The skill declares no required environment variables or credentials and the code does not read environment variables or external secrets. Requested privileges are minimal.
Persistence & Privilege
The skill does persist data by creating a 'proposals' directory beside the module and saving JSON/.md files there. While not high privilege, writing into the package's directory (site-packages or wherever the module is installed) can be surprising and may fail or be undesirable; it would be better to use a user data directory. always:false and no other elevated privileges are requested.
What to consider before installing
This skill's functionality (proposal templates, create/list/export) is plausible and there is no evidence of network exfiltration or secret access — but there are several inconsistencies and surprising behaviors you should check before installing: (1) The SKILL.md example imports execute, but __init__.py only exposes ProposalGen — try importing the package locally to confirm the API. (2) Version metadata is inconsistent across files, which suggests packaging errors. (3) The code creates and writes files into a 'proposals' directory located next to the module; determine where that will be on your system (it may be inside site-packages) and whether you want the skill to write there. (4) The implementation has minor code issues (missing typing imports) that could cause runtime errors. Recommended actions: inspect or run the package in a sandbox/isolated environment, review/modify the code to change the storage path to a user-writable data directory if needed, and only grant it broader access if you confirm the code matches the documented behavior. If you need a clean API (execute function), either patch __init__.py to expose it or prefer a different skill that documents its public interface consistently.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a1z0ckwejvsxe742weekzmx84r3w4
50downloads
0stars
1versions
Updated 1w ago
v1.0.1
MIT-0
@zimuge-doudou
latest
Download

skill proposal gen技能

功能概述

skill proposal gen

核心功能

  • 基础功能实现
  • 状态管理
  • 数据处理

应用场景

  1. 日常业务流程
  2. 自动化任务
  3. 数据处理

使用方法

from skill_proposal_gen import execute
result = execute(action="connect")

参数说明

参数类型说明
actionstr执行动作

技能信息

  • 调用模式: both
  • 推荐套餐: MiniMax
  • 版本: 1.0.0

Comments

Loading comments...