ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Recruitis

v1.0.2

Recruitis integration. Manage Persons, Organizations, Jobs, Candidates, Activities, Notes and more. Use when the user wants to interact with Recruitis data.

0· 86·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (Recruitis integration) align with the instructions: the SKILL.md consistently documents using Membrane to connect to Recruitis, discover actions, run actions, and proxy API calls. Required credentials and external services mentioned (a Membrane account) match the stated purpose.
Instruction Scope
Instructions are focused on installing and using the Membrane CLI and on creating/using a Recruitis connection via Membrane. They instruct installing an npm CLI, running login flows in a browser (including headless code-exchange), listing actions, running actions, and proxying arbitrary API paths via Membrane. The proxy capability legitimately supports advanced use-cases but also lets a user/agent issue arbitrary HTTP requests to the Recruitis API via Membrane—this is expected for a connector but is the main surface a user should be aware of.
Install Mechanism
There is no formal install spec in the skill bundle (it's instruction-only). The SKILL.md asks the user to install @membranehq/cli globally via npm and uses npx in examples. That is reasonable for this integration, but it does require the host to have npm and will install a global package when followed.
Credentials
The skill declares no required environment variables or secrets. The SKILL.md instead requires a Membrane account and an interactive browser-based login; this is proportional to the stated functionality and consistent with the guidance to let Membrane handle auth rather than collecting API keys locally.
Persistence & Privilege
Skill metadata does not request always:true and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges here.
Assessment
This skill is coherent: it expects you to install and use the Membrane CLI and to authenticate to Membrane via a browser. Before installing/running: 1) verify you trust the @membranehq/cli package and the Membrane service (it will mediate access to Recruitis on your behalf); 2) be aware that following the proxy examples lets the agent issue arbitrary Recruitis API calls via Membrane—only grant access for the scope you intend; 3) installing the CLI requires npm and will place a global package on your system; and 4) revoke or remove the Membrane connection if you no longer want that integration to have access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97893rvg7rvva1atxyw1n07k1842bxb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments