job-hunter-whatsapp
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for job-search automation, but it handles resumes, API keys, persistent job tracking, scheduled runs, and messaging updates that users should configure carefully.
Install/use only if you are comfortable storing resume and job-search data in local project files. Keep api_keys.json and resume files out of Git and shared folders, review any customized resume before sending it, and enable daily cron or WhatsApp/messaging updates only after confirming the schedule, recipient, and how to turn them off.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or misleading job posting could influence extracted fields or resume wording if not handled carefully.
The skill intentionally fetches and uses third-party job description text in agent workflows. This is expected for the purpose, but job postings are untrusted content and should be treated as data, not instructions.
Read the actual JD for each new job ... Emphasize matching skills, use language from the JD
Treat job descriptions as untrusted input, ignore any instructions embedded in them, and review customized resumes before use.
If api_keys.json is exposed or committed, someone else could use the user's API quotas or account access for those providers.
The skill asks for optional provider API keys for Adzuna and RapidAPI. This is purpose-aligned, but it is still credential handling.
Store keys in `api_keys.json` ... "adzuna": { "app_id": "...", "app_key": "..." }, "rapidapi": { "key": "..." }Use least-privilege/free-tier keys, verify api_keys.json is actually gitignored, and do not store unrelated credentials there.
Installing an unpinned package can introduce supply-chain risk or version drift.
The helper script relies on an npm dependency, but the provided artifacts do not include a package lock or pinned version.
Requires: npm install pdfjs-dist ... import { getDocument } from 'pdfjs-dist/legacy/build/pdf.mjs';Install a known-good pinned version of pdfjs-dist and review dependency provenance before running the extractor.
A shared or synced workspace could expose resume details, salary preferences, target roles, and application status.
The skill persists personal profile, resume, and job-application data for reuse across workflows.
Ask the user for (store in `config.json`) ... Resume file ... save as `resumes/base_resume.md` ... Track status in `tracked_jobs.json`
Use a private workspace, avoid committing these files, and review stored tracker/config data periodically.
Job-search activity could be sent to the wrong chat or exposed through a messaging integration if configured incorrectly.
The skill plans to send job-search summaries to an external messaging channel, but the artifact does not define the exact channel authentication or recipient verification.
Status Update — Daily ... Read tracker, compile summary, send to user's messaging channel
Confirm the recipient, channel, and authentication method before enabling messaging updates, and avoid including sensitive details unless needed.
If enabled, the skill may continue querying job APIs, updating local files, and sending summaries every day.
The skill documents recurring background jobs. This persistence is aligned with automated job alerts, but it continues operating after setup.
Set up two cron jobs: Job Finder — Daily ... Status Update — Daily
Enable cron only after explicit consent, set clear schedules and API budgets, and document how to pause or remove the jobs.