Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
HireEase Skill
v1.0.0Tailor a client resume for a matching new job, generate a PDF from the tailored LaTeX, and record the application in the HireEase portal (the same effect as...
⭐ 0· 51·0 current·0 all-time
byMohammad Ibrahim Saleem@ibrahimsaleem
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (tailor resume → generate PDF → record application) aligns with the API calls and file outputs in SKILL.md. However, the package metadata declares no required environment variables or credentials while SKILL.md explicitly expects HIREEASE_AGENT_EMAIL, HIREEASE_AGENT_PASSWORD, HIREEASE_API_BASE (and optional HIREEASE_CLIENT_EMAIL). The registry therefore understates the skill's real requirements, which is an incoherence.
Instruction Scope
Instructions direct the agent to log in to HireEase API, write LaTeX/PDF files to scripts/output, perform job discovery (potentially via browsing), and — optionally — use browser automation to upload PDFs to a client's Google Drive session. The document does not declare how browser automation or access to a client's Google session is obtained (no required config paths, no Google credentials declared). That gives the skill broad discretion to access browser sessions/cookies if the agent environment supports it, which is not mentioned in the registry metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That lowers install risk. (The skill does instruct runtime file writes, but there is no separate install mechanism to review.)
Credentials
The SKILL.md requires sensitive env vars (HIREEASE_AGENT_EMAIL and HIREEASE_AGENT_PASSWORD) and an API base URL — appropriate for interacting with the HireEase backend — but the registry metadata lists no required env vars. Also, the skill implicitly expects access to a client's Google session for Drive uploads without declaring required Google credentials or config. Requesting an agent-stored HireEase password is proportionate to the purpose, but the mismatch in declared vs required env vars and the unadvertised Google/session access is a red flag.
Persistence & Privilege
The skill does not request persistent always:true presence or any special platform-wide privileges. It only describes normal runtime activity (API calls, file writes, optional browser automation).
What to consider before installing
This skill mostly does what it says, but note two important issues before installing:
1) SKILL.md requires sensitive environment variables (HIREEASE_AGENT_EMAIL, HIREEASE_AGENT_PASSWORD, HIREEASE_API_BASE) and will log in to the HireEase API and save files to scripts/output. The registry metadata incorrectly lists no required env vars — confirm you will supply and securely store these credentials before use.
2) The skill optionally relies on browser automation and an already-logged-in Google account/session to upload the generated PDF to Google Drive. The SKILL.md does not declare how it accesses browser sessions or cookies. If you enable browser automation, make sure the agent environment and account sessions you provide are intentionally shared and that you consent to using the client’s Google session for uploads.
Other recommendations: verify the base URL you provide is the real HireEase endpoint (avoid untrusted or personal URLs), do not paste passwords or tokens into chat (the skill itself says not to), and consider running the skill in a restricted/test environment first to observe its runtime behavior and file outputs. If you want lower risk, ask the publisher to update the registry metadata to declare required env vars and to explicitly state which agent capabilities (browser automation, filesystem paths) are required.Like a lobster shell, security has layers — review code before you run it.
latestvk97dwfje9zj80j5g5w2sxhm2dn83m3jh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.