Auto Job Applying Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for resume and job-application automation, but it needs review because its Telegram helper can expose a bot token in error output and it can submit real job applications.
Install only if you trust Resumex with your resume data and are comfortable with automated job applications. Use a dedicated revocable Resumex API key, keep AUTO_APPLY_MODE=false, review every job before submission, and avoid enabling Telegram delivery until the bot-token error logging is fixed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If Telegram delivery fails, someone who can see the error output may get the Telegram bot token and use it to control that bot.
Telegram bot tokens are embedded in the request URL. On HTTP or network errors, the exception includes that full URL and is printed to stderr, which can expose the token to logs or agent output.
url = f"{TELEGRAM_BASE}{bot_token}/sendMessage" ... raise RuntimeError(f"HTTP {exc.code} from {url}: {body}") ... print(f"[error] Telegram request failed: {exc}", file=sys.stderr)Redact the bot token from all exception messages before printing. Until fixed, avoid Telegram delivery or use a disposable bot token and rotate it if any error output exposed it.
The agent can submit applications in your name to external job portals; mistakes or unwanted submissions may be irreversible.
The skill intentionally uses browser automation to submit job applications, and an opt-in mode can remove per-job approval.
[5] AUTO-APPLY — Agent calls job_applier.py for each job: ✅ Standard forms → filled + submitted automatically ... AUTO_APPLY_MODE=true: Applications are submitted without per-job confirmation
Keep AUTO_APPLY_MODE=false, review each ranked job before applying, and test on one application before allowing broader automation.
Installing these dependencies adds third-party code and a large browser binary to the local environment.
The auto-apply feature depends on installing Python packages and downloading a Chromium browser binary. This is disclosed and purpose-aligned, but it expands the local dependency surface.
The agent will run this automatically on first use: pip3 install -r requirements.txt python3 -m playwright install chromium
Install in a virtual environment or sandbox, review requirements.txt, and avoid running the browser automation if you do not need auto-apply.
Your name, email, phone number, location, and profile links are used in automation and sent to selected job portals.
Personal resume/contact data is passed from the agent into a local helper process. This is expected for form filling, but it means sensitive profile data enters agent/tool context.
This script receives all resume data as CLI arguments from the OpenClaw agent ... --name ... --email ... --phone ... --location ... --linkedin
Only approve jobs and portals you trust, avoid including unnecessary sensitive details in your resume, and run the skill on a trusted single-user machine.