ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PLC Job Scraper

v1.0.0

Automaticky vyhledává PLC, automation a SCADA pracovní nabídky z LinkedIn, Indeed a dalších job boardů. Ideální pro PLC programátory a automation inženýry hl...

0· 59·1 current·1 all-time
byCaisik@cjmore66
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (PLC job scraper) align with the SKILL.md: instructions describe searching LinkedIn, Indeed, Glassdoor and exporting job results. Requested functionality (scrape job boards, export CSV/Google Sheets, send notifications) is coherent with the stated purpose.
!
Instruction Scope
Instructions tell the agent to run an external Apify actor (caisik/plc-job-scraper), call python scripts (export_to_csv.py, export_to_sheets.py, notify.py) that are not included, and recommend using proxy rotation to '避开' rate limiting. The skill therefore instructs network scraping, external actor invocation, persistent cron scheduling, and advice to evade rate limits — the latter is a red flag for potential TOS violation or covert evasion behavior. Also, instructions reference Google Sheets and Telegram notifications but give no detail about required credentials or safe handling.
Install Mechanism
No install spec and no bundled code files — the skill is instruction-only. This reduces direct install risk but increases reliance on external components (Apify actor, Python scripts) that the SKILL.md expects to exist elsewhere.
!
Credentials
Registry metadata lists no required env vars, but SKILL.md expects environment variables for configuration (JOB_BOARDS, SEARCH_TERMS, LOCATIONS, JOB_TYPE) and references services that typically need secrets (Apify credentials, Google Sheets API credentials, Telegram bot token) without declaring them. The omission of required credential/environment declarations is an incoherence and a risk: you may need to provide sensitive tokens to run the workflows, but the skill does not document or justify them.
Persistence & Privilege
always is false (not force-included), and the skill does not request long-term platform privileges. It instructs cron scheduling for periodic runs, but that is a user-side automation suggestion rather than an implicit platform privilege request.
What to consider before installing
Before installing or running this skill: (1) Inspect the external Apify actor (caisik/plc-job-scraper) source on Apify and verify what code it runs and what credentials it needs; do not run unknown actors without review. (2) Confirm where export_to_csv.py, export_to_sheets.py and notify.py come from — they are not bundled; running missing scripts could lead you to download unknown code. (3) Be cautious about providing service credentials (Apify, Google Sheets, Telegram) — the skill metadata does not declare required secrets but the workflow will likely need them. (4) The SKILL.md explicitly advises proxy rotation to evade rate limits — that can violate site terms of service and increase legal/ethical risk; prefer official APIs or explicit permission. (5) If you proceed, run in an isolated environment, review all remote code before execution, and avoid exposing high-privilege credentials. Additional information that would raise confidence to 'high': the actual Apify actor source, the missing helper scripts provided and reviewed, and a declared list of required environment variables with justification.

Like a lobster shell, security has layers — review code before you run it.

automationvk97fwgh79wq5w7e4xe7g4p0r2184q8mxjobsvk97fwgh79wq5w7e4xe7g4p0r2184q8mxlatestvk97fwgh79wq5w7e4xe7g4p0r2184q8mxplcvk97fwgh79wq5w7e4xe7g4p0r2184q8mx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments