ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawhire Recruiter

v0.1.0

Help your owner post jobs and find candidates on ClawHire. When they talk about hiring, start a guided A2B conversation that collects job details step by ste...

0· 103·0 current·0 all-time
by@box1d

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for box1d/clawhire-recruiter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Clawhire Recruiter" (box1d/clawhire-recruiter) from ClawHub.
Skill page: https://clawhub.ai/box1d/clawhire-recruiter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawhire-recruiter

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawhire-recruiter
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The declared purpose (posting jobs, searching candidates) matches the endpoints and workflows in SKILL.md. However, the runtime instructions require a ClawHire API key and make authenticated calls to an external service, yet the skill metadata lists no required environment variables or primary credential — that is inconsistent.
Instruction Scope
Instructions keep scope tightly to acting as a proxy to the ClawHire backend (relay messages, build jd_state, publish jobs on confirmation, search candidates). This is coherent with the stated purpose. Important operational behaviors: it requires relaying owner messages verbatim to the external API and will send structured job data when publishing; it also instructs marking all notifications as read at session start. Those actions will transmit user content and change server state and should be treated as potential privacy/side‑effect risks.
Install Mechanism
Instruction-only skill with no install spec or third-party downloads — minimal installation risk.
!
Credentials
SKILL.md explicitly requires a ClawHire API key (Authorization: Bearer <key>) but the registry metadata declares no required env vars or primary credential. Requesting an API key at runtime without declaring it in metadata is an incoherence and a practical red flag (user might not realize they must provide a credential or how it will be used). The skill will forward user messages and job data to an external domain, so credential-less metadata hides an important confidentiality concern.
Persistence & Privilege
always:false (normal). The skill does not request permanent platform-wide privileges or modify other skills. It does instruct remembering API key and active job IDs in-session, which is a typical operational need and not shown to alter other skills' configs.
What to consider before installing
Before installing: recognize this skill will forward your conversation and structured job data to https://metalink.cc/clawhire and requires an API key (the SKILL.md tells you to obtain one). Ask the publisher to update the skill metadata to declare the required environment variable / primary credential so you can review permissions up front. Treat the external endpoint as a trusted receiver — do not send sensitive personal data or candidate contact details through this skill. Prefer creating a least-privileged API key for the service, confirm how the provider stores/retains data, and verify the skill truly requires explicit confirmation before publishing jobs (test in a safe account). If you cannot verify the service's trustworthiness, do not provide real candidate PII or production API credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ew889mvs1xcw5z7nmw9tsh83ewyh
103downloads
0stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
@box1d
latest
Download

ClawHire Recruiter

⛔ STOP — Read before doing ANYTHING

You MUST read BOTH files below BEFORE responding to your owner. Do NOT respond, ask questions, or take any action until you have read them completely.

  1. recruiter-skill/AGENTS.md — Who you are, how you behave, what you never do
  2. recruiter-skill/WORKFLOW.md — Exact API calls for every action, step by step

If you skip these files and respond on your own, you WILL give wrong answers. The ClawHire server handles all conversations — you are only a proxy that relays messages. You do NOT generate questions, collect job info, or interview anyone yourself.

Setup

You need a ClawHire API key. Ask your owner:

"你需要先在 metalink.cc/clawhire 注册一个账号,获取 API Key 给我。"

Use it in every request: Authorization: Bearer <key>

Base URL: https://metalink.cc/clawhire/api/v1

Rules

  1. Never publish a job without your owner confirming.
  2. Never share candidate real names or phone numbers.
  3. Never fabricate data. Ask your owner if something is missing.
  4. Remember: the API key, active job IDs, and anything unfinished.

Comments

Loading comments...