ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Boss Cli

v1.0.0

BOSS直聘 CLI 工具,支持职位搜索、求职申请管理、聊天、发送招呼等功能。通过逆向 BOSS直聘 API 实现,支持多城市、多筛选条件。当用户需要搜索 BOSS直聘 上的职位、查看公司信息、管理求职申请、联系 HR 时触发。

0· 97·0 current·0 all-time
by@aitowerofbabel-lang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a CLI client for BOSS直聘 and the CLI commands shown align with that purpose. However the package to install (kabi-boss-cli) has no source/homepage declared in the metadata, so provenance is missing.
!
Instruction Scope
Runtime instructions tell the agent to run 'pip install kabi-boss-cli' and to use 'boss login' which 'auto-detects browser Cookie'. That implies the CLI will access local browser cookie stores or other local state — behavior not declared in the skill metadata and potentially sensitive.
!
Install Mechanism
No install spec included in the skill metadata; the SKILL.md instructs installing a PyPI package of unclear origin. Installing arbitrary packages from PyPI is a supply-chain risk unless the package and source are verified.
!
Credentials
requires.env is empty but the instructions implicitly require access to browser cookies or local authentication state. Sensitive local credentials/config access is not declared or justified in the metadata.
Persistence & Privilege
always is false and there is no indication the skill demands persistent or platform-wide privileges or automatic inclusion. It does not request modification of other skills/configs.
What to consider before installing
This skill appears to be a wrapper around a third‑party CLI but lacks source/provenance and implicitly asks the agent to install and use a package that may read your browser cookies. Before installing, verify the package 'kabi-boss-cli' on PyPI/GitHub (author, source code, recent activity, issues). If you proceed: (1) run the install in an isolated environment (VM/container) or inspect the package source first; (2) avoid giving it access to your main browser profile — use a disposable browser/profile if cookie-based login is needed; (3) prefer official clients or documented APIs when possible; (4) do not run these commands if you cannot review the package code or trust its publisher. Because the skill can instruct the agent to run installs and logins, treat it as higher-risk until provenance is confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk973jh3nds39dt3hv6yjb5j71x83qbsg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments