Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Job Applications
v1.0.0Automates job search on Indeed, analyzes fit, tailors resume, and applies via Greenhouse, Lever, Workday, or Indeed Easy Apply, logging all results.
⭐ 1· 194·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (search, analyze fit, tailor resume, apply, log) aligns with included files: config, resume JSON, tailoring script, and tracking logs. The skill relies on the agent's browser automation (described in SKILL.md) to fill ATS forms rather than shipping form-fill code — this is plausible but is an implicit dependency. The README and script require pdflatex for PDF generation, but the skill's metadata did not declare any required binaries.
Instruction Scope
SKILL.md instructs the agent to use stored browser sessions (Indeed and LinkedIn) and to request an email verification code or LinkedIn credentials from 'Abed' via the '#job-applications' Discord channel. It also directs the agent to post run summaries to that Discord channel and to log every job. These instructions involve collecting/transmitting sensitive authentication material and detailed application logs to an external chat channel, which is out-of-scope for a minimal resume-tailoring script and creates a risk of credential exposure or data leakage.
Install Mechanism
No install spec is provided (instruction-only) and that's low risk, but the included script calls pdflatex via subprocess. The skill bundle's README mentions pdflatex is required — this binary is an undeclared dependency in the registry metadata. There are no downloads or archives, and no obfuscated code; the Python script is readable and appears to perform only LaTeX generation and invocation.
Credentials
The skill declares no environment variables or credentials, yet SKILL.md assumes access to logged-in browser sessions for Indeed/LinkedIn and instructs asking for 2FA codes and passwords via Discord. The skill package also contains abundant PII (email, phone, full resume) and extensive application history in tracking/*.json. Requesting or transmitting account credentials or 2FA through a Discord channel is disproportionate and risky unless the channel is strictly private and authenticated — the skill provides no such assurance.
Persistence & Privilege
always is false and the skill does not request permanent system-wide privileges. It does instruct the agent to use and close browser tabs in the OpenClaw browser context, but it does not modify other skills or system configurations.
What to consider before installing
Before installing, verify these items: 1) Confirm where and how the agent's browser sessions are stored and protected — do not allow the skill to run against sessions that contain saved passwords or unrecoverable tokens unless you trust the execution environment. 2) Never share 2FA codes or passwords in an untrusted or public Discord channel; change the workflow so human approvals and codes are delivered securely (private channel, direct message, or in-UI prompt). 3) Remove or sanitize embedded PII/tracking logs from the skill bundle if you plan to install it in a shared registry — the included tracking/*.json files contain full application histories and personal contact info. 4) Add an explicit declaration of required binaries (pdflatex) and require the agent to confirm availability before attempting PDF compilation. 5) Consider disabling fully automatic 'auto_apply' or require interactive confirmation for each application to prevent accidental submissions. 6) If you want this to run autonomously, require secure logging and an access policy for the Discord/reporting endpoint — right now the skill gives no detail about where summaries are posted or who can read them. If you want, provide the owner with questions to clarify these points; if you are uncomfortable with credential handling or public reporting, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk97dk8p34ckmf8ezw1hc1yq0td82trts
License
MIT-0
Free to use, modify, and redistribute. No attribution required.