ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Placed

v1.0.0

Complete Placed career platform integration — resume builder, interview coach, job tracker, ATS checker, cover letter generator, LinkedIn optimizer, and sala...

0· 57·0 current·0 all-time
byAjit Singh@ajitsingh25
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim a Placed career integration (resume builder, interview coach, job tracker, etc.) and the instructions call the Placed API for those functions. The capabilities requested by the SKILL.md are consistent with the stated purpose.
!
Instruction Scope
The runtime instructions explicitly instruct the agent to source ~/.config/placed/credentials, prompt the user for an API key if absent, and then write the key into $HOME/.config/placed/credentials and export it. That is file I/O in the user's home directory and persistent credential storage—sensitive actions that are not reflected in the skill's declared requirements. The instructions are otherwise limited to making POST requests to placed.exidian.tech.
Install Mechanism
This is an instruction-only skill with no install spec or code files. No binaries or external downloads are required, which reduces installation risk.
!
Credentials
The SKILL.md expects PLACED_API_KEY (and a credentials file) but the skill metadata lists no required environment variables or primary credential. Requesting and persisting an API key is reasonable for this integration, but the omission in declared requirements is an incoherence and prevents upfront verification of required secrets.
Persistence & Privilege
The skill will persist the user's API key to $HOME/.config/placed/credentials for future sessions. The skill is not marked 'always' and does not request elevated platform privileges, but persistent storage of credentials increases the blast radius if the stored key is sensitive or if the file is left world-readable. Autonomous invocation is enabled by default (not a direct flag here) — combined with stored credentials, this raises risk if you do not trust the skill/source.
What to consider before installing
Before installing: (1) Confirm you trust placed.exidian.tech and the skill author; visit the homepage and verify the service. (2) Be aware the SKILL.md will ask for your PLACED_API_KEY and then write it to $HOME/.config/placed/credentials — ensure you are comfortable storing a persistent API key on disk and that the file will have restricted permissions. (3) Prefer creating an API key with limited scope or an ephemeral/test key to minimize exposure. (4) Ask the developer why the skill metadata does not declare PLACED_API_KEY as a required credential (this omission prevents automatic checks). (5) After uninstalling or if you stop using the skill, delete the credentials file and rotate the API key. (6) If you want tighter control, do not grant autonomous agent invocation or require manual confirmation before the skill is used.

Like a lobster shell, security has layers — review code before you run it.

latestvk972hsyb85yjqva658afwd41rn83a6ev

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis

Comments