Job Applications
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill has a legitimate job-application purpose, but it can use logged-in job-site sessions to auto-submit applications on a schedule and route credentials or summaries through Discord without clear per-application approval.
Only install or run this if you are the named candidate or have explicit permission to act for them. Before use, turn off auto-apply or require approval before every submission, remove or replace hard-coded personal data, avoid sending passwords or one-time codes through Discord, and make any scheduled runs opt-in with a clear stop/cleanup process.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could submit resumes, contact information, and application answers automatically, and mistakes could affect the user's reputation or job prospects.
The configuration enables automatic real-world application submissions across multiple ATS/job platforms, up to 20 per day, without an artifact-backed per-application confirmation step.
"max_applications_per_day": 20, "platforms_supported": ["greenhouse", "lever", "workday", "indeed_easy_apply", "linkedin_easy_apply"], "auto_apply": true
Disable auto-apply by default and require explicit user approval before each final submission, especially for Workday, LinkedIn, Indeed, and external ATS forms.
A compromised or mistaken agent action could use the user's job-site accounts to submit applications, change account state, or expose login material.
The skill relies on active browser sessions and asks for account credentials when sessions expire, giving the agent high-impact delegated access to job-site accounts.
LinkedIn session is logged in on the openclaw browser ... If session expires, navigate to https://www.linkedin.com/login and ask Abed for credentials in #job-applications
Declare credential requirements clearly, avoid sharing passwords in chat, use scoped/temporary authentication where possible, and require user approval for account sign-in and submission actions.
The agent may continue taking external actions multiple times per day, increasing the chance of unwanted or duplicate applications.
The skill describes recurring scheduled operation; combined with auto-apply behavior, this can keep submitting applications after the initial setup unless separately controlled.
## Cron Schedule Runs 3x daily: - 8:00 AM CT - 12:00 PM CT - 5:00 PM CT
Make scheduling opt-in, document how to stop it, and separate scheduled search/logging from final application submission.
Login codes, credentials, and application details could be exposed to unintended Discord participants or retained in chat history.
The instructions route authentication codes and job-application summaries through a Discord channel without describing channel access, retention, or verification boundaries.
ask Abed for the email code in #job-applications Discord channel ... Report summary to #job-applications Discord channel after each run
Do not request passwords or one-time codes in Discord; use a private, verified approval flow and limit summaries to non-sensitive information.
Personal profile data and application history may persist in the skill directory and be reused or uploaded during later runs.
The skill stores persistent candidate profile/contact data used for future applications; this is purpose-aligned but sensitive.
"candidate": { "name": "...", "email": "...", "phone": "...", "location": "..." }Use only with the named candidate's consent, remove hard-coded personal data before sharing, and define retention/cleanup rules for generated resumes and logs.
Running the helper depends on a local LaTeX installation and executes a local process to compile generated resume files.
The helper script executes a local PDF compiler to generate resumes; this is aligned with the stated purpose, but users should know it requires local command execution.
subprocess.run(["pdflatex", "-interaction=nonstopmode", "-output-directory", output_dir, tex_path], capture_output=True, text=True, timeout=30)
Declare the pdflatex dependency in metadata and keep generated LaTeX inputs scoped to trusted resume data.