ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Quotation Engine

v1.0.1

智能报价引擎 — 根据设备清单和工时自动生成报价单

0· 45·0 current·0 all-time
by@zimuge-doudou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (智能报价引擎 — 生成报价单) align with the included code: QuotationEngine.generate computes costs and returns a quotation. However there are minor mismatches: SKILL.md example calls engine.export_pdf(...) but the implementation only provides export_json and summary. Also __init__.py declares __version__ = "2.0" while registry metadata/version in SKILL.md is 1.0/1.0.1 — small packaging/documentation inconsistencies.
!
Instruction Scope
SKILL.md instructs usage that includes export_pdf, which does not exist in the code — following the doc will cause errors. Otherwise runtime instructions are limited to importing the class and calling methods; the code only performs local computation and file read/write (export_json). The skill does not access network, other files, or environment variables beyond reading/writing JSON files provided by the user.
Install Mechanism
No install spec is provided (instruction-only install). The bundle does include Python source files that will be present if the skill is installed, but there is no download-from-URL or third-party package installation. This is low-risk from an install perspective.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The implementation does not attempt to read environment variables or external secrets — all inputs come from the provided show_data dict or user-supplied JSON file.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It performs only local file writes (export_json) to paths the caller specifies. No elevated persistence or privilege escalation behavior observed.
What to consider before installing
This skill appears to implement a legitimate quoting calculator and does not request network access or credentials, but the documentation and packaging have small inconsistencies you should address before use. Specifically: (1) SKILL.md shows export_pdf(...) but the code only implements export_json and summary — calling export_pdf will fail; either request the author to provide the PDF export or update the docs, or implement your own PDF export wrapper. (2) Version strings differ between the package and metadata — verify you have the intended release. (3) The skill reads a user-supplied JSON and writes files to disk; run it in a sandbox or with limited file permissions until you’re comfortable. (4) Review and test with sample data to ensure outputs meet your expectations. If you need guarantees about no network calls or added behavior, request the author confirm there are no hidden features (or inspect any future updates) before deploying in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk976b4r5wgt4s8pgkj005pzjv184r6gg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments