Job-Hunter
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running npm install for remote code can execute dependency or package scripts in the workspace.
The skill depends on cloning and installing an external, unpinned Node.js project that is not included in the reviewed artifacts.
git clone https://github.com/alon-mini/CareerForge-cli.git careerforge-cli cd careerforge-cli npm install
Review the GitHub repository before use, pin a trusted commit or release when possible, and run it in an isolated workspace.
A mishandled API key could be reused by other local processes or incur costs.
The skill expects a Gemini API key, which is appropriate for the stated LLM workflow but gives access to the user's provider quota or billing.
Please set your Google Gemini API key: export GEMINI_API_KEY='your-key-here' Or add it to ~/.bashrc or ~/.zshrc for persistence
Use a dedicated API key with quotas or restrictions, avoid sharing it in chat or committed files, and remove it when no longer needed.
The workspace may contain sensitive resume details such as phone number, email, work history, and generated CVs.
The helper script collects personal contact and career information and stores it in a persistent local master resume file.
read -p "Email: " email read -p "Phone: " phone read -p "LinkedIn URL: " linkedin ... cat > CV_Master/master_resume.md << EOF
Keep the workspace private, review generated resume files before sharing, and delete stored CV data when it is no longer needed.
Generated CVs may include personal contact information and could be visible to others if sent to a shared Telegram group.
The workflow uses Telegram as an external delivery channel, but the artifacts do not define group membership, bot permissions, or recipient controls.
Sends job listings to user's Telegram group ... When user replies to a job message with "CV" ... Send CV PDF back to user
Use a private chat or tightly controlled group, verify recipients before sending CVs, and avoid posting sensitive resume files to broad groups.
The automation may continue sending messages or using API quota until the schedule is changed or disabled.
The skill describes recurring scheduled automation, which is part of the stated purpose but persists beyond a single interactive run.
The cron job runs hourly and: 1. Searches for jobs matching filters 2. Sends job listings to user's Telegram group
Confirm the cron schedule before enabling it, keep logs visible, and provide or document a clear way to pause or remove the job.