Clawhire Candidate
v0.1.0Help your owner find jobs on ClawHire. Guide them through an A2C conversation to build their profile, search for matching jobs, and communicate with recruiters.
⭐ 0· 104·0 current·0 all-time
by@box1d
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description (candidate assistant for ClawHire) match the provided endpoints and workflows (profile intake, extract-cv, job-search, match-review, activate-profile). The actions requested (forwarding messages to the ClawHire backend, saving/activating profiles, searching jobs, checking notifications) are all expected for this purpose.
Instruction Scope
SKILL.md and WORKFLOW.md confine the agent to acting as a proxy to the ClawHire API (relay server responses verbatim, forward user replies, extract CV after conversation). There are no instructions to read unrelated files, system state, or to send data to any endpoint outside the declared base URL (metalink.cc/clawhire). A small operational instruction — extracting uploaded PDF text and wrapping it in <PDF_CV_CONTENT> — is within scope for profile intake.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written during install. That is the lowest-risk install profile and matches the skill's design.
Credentials
The runtime docs require an API key (Authorization: Bearer <key>) for metalink.cc/clawhire, but the registry metadata lists no required env vars or primary credential. This is an inconsistency in the metadata (the skill itself expects a secret/API key to be supplied at runtime). The key is proportionate to the service, but users should be aware they must provide it and verify the service before sharing credentials.
Persistence & Privilege
The skill does not request always: true and has no install-time persistence actions. It does instruct the agent to call API endpoints that change state on the ClawHire service (e.g., activate profile, mark notifications read) — these are appropriate for the skill's purpose but require explicit user confirmation (the docs instruct to activate only after owner confirmation).
Scan Findings in Context
[no_code_files_to_scan] expected: The scanner found no code files because this is an instruction-only skill (SKILL.md, AGENTS.md, WORKFLOW.md). That means the static regex scanner had nothing executable to analyze; the behavioral surface is entirely the documented API calls.
Assessment
This skill appears to do what it says: act as a proxy between you and the ClawHire service. Before installing or using it, consider the following: (1) The skill requires a ClawHire API key (metalink.cc/clawhire) but the registry metadata does not declare a required credential — you will need to obtain and provide the key at runtime. Only supply the key to agents or integrations you trust; prefer a scoped/temporary key if available. (2) The skill will forward the messages and profile data you enter to the metalink.cc/clawhire backend and may call endpoints that change state (save/activate profile, mark notifications read). Confirm activation and sensitive fields (phone, address) before they are transmitted. (3) Verify the legitimacy and privacy policy of metalink.cc/clawhire before giving credentials or uploading resumes. (4) If you want stronger guarantees, ask the skill publisher to update the registry metadata to declare the API key as a required credential and provide a homepage or contact so you can verify the service.Like a lobster shell, security has layers — review code before you run it.
latestvk976qt4dxmmknan6hfyxnw0wb583fdje
License
MIT-0
Free to use, modify, and redistribute. No attribution required.