ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Job Applying Agent

v2.0.1

Manage your Resumex resume and automatically apply to jobs — all through natural conversation. Fetches your live resume from Resumex, uses built-in web searc...

1· 70·0 current·0 all-time
byAtharva Badgujar@atharva-badgujar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (resume management + auto-apply) align with required binaries (python3, pip3), required env var (RESUMEX_API_KEY), and the included helper scripts (job_applier.py and send_pdf.py). The declared network endpoints (resumex.dev and api.telegram.org) match the stated features.
Instruction Scope
SKILL.md instructs the agent to fetch resume data from Resumex, run local Playwright automation to fill forms, and optionally call Telegram — all of which match the description. Note: the auto-apply flow can submit applications to third-party job portals (with user approval by default). The instructions explicitly warn about AUTO_APPLY_MODE and bot-detection; this is scope-appropriate but operationally impactful (may submit real applications).
Install Mechanism
No automated install spec in registry, but SKILL.md requires pip install -r requirements.txt and playwright's chromium installer (Playwright on PyPI + download of Chromium ~300MB). These are standard and expected for browser automation; user guidance recommends using a virtualenv. No unexpected or opaque downloads or custom servers are used.
Credentials
Only RESUMEX_API_KEY is required; TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID are optional and used only for Telegram delivery. Local flags (AUTO_APPLY_MODE, HEADLESS_BROWSER) are purely local and justified by the feature set. Credential scope is proportional.
Persistence & Privilege
Skill is not always-enabled and does not request system-wide privileges. It does not modify other skills' configs. Agent autonomous invocation is allowed by default (normal), but AUTO_APPLY_MODE must be explicitly set to enable blind submissions.
Assessment
This skill appears to do what it says, but consider the following before installing: - Use a dedicated, revocable RESUMEX_API_KEY for this skill and revoke it if you suspect misuse. - Keep AUTO_APPLY_MODE=false (the default) until you have tested the flow; enabling it will submit applications without per-job confirmation. - Install Playwright and Chromium inside a Python virtualenv as recommended; the Chromium binary download is ~300MB and stored in ~/.cache/ms-playwright/. - Telegram integration is optional—only provide TELEGRAM_BOT_TOKEN if you want Telegram delivery. - Review job_applier.py and send_pdf.py (both are included and readable) if you want to inspect exact behavior; they claim to only access the stated endpoints and to accept resume data via CLI args (no hidden network calls). - Be aware that automated form submission may trigger CAPTCHAs or violate portal terms; the skill documents a graceful fallback returning manual links if blocked. If you want extra assurance, run the skill with auto-apply disabled and test a single application to confirm behavior before wider use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9715csmgveenmgxmdpwn8h3dx84xj4wresumevk97fd9rvx7s5299txkzck1zq6h84rb6r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, pip3
EnvRESUMEX_API_KEY

Comments