Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jobclaw Recruit
v1.0.0Help recruiters publish job postings to the job matching system. Use when users want to: (1) post a job, (2) publish a position, (3) hire someone, (4) recruit candidates, (5) find employees, or (6) advertise job openings. Supports flexible information collection - users can provide all details at once or be guided through step-by-step. Automatically creates recruiter account, generates job vectors, and enables AI-powered candidate matching.
⭐ 0· 571·1 current·1 all-time
byjobclaw@imluyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (publish jobs, manage jobs, view matches) align with the provided scripts. The code talks to a job-matching API (DEFAULT_API = https://api.jobclaw.ai) and implements publish/update/delete/list operations that match the skill description. No unexplained environment variables, unusual binaries, or unrelated packages are requested.
Instruction Scope
SKILL.md instructs running the included Python scripts with JSON input; the scripts only call the configured API endpoints and do not read arbitrary system files or scan unrelated state. However, the scripts accept an apiUrl override in the input, so they can be directed to any HTTP endpoint — this is useful for pointing to alternate deployments but also means an attacker-supplied apiUrl could make the skill talk to a malicious server. Also, publish_job.py appends the auth token into its returned JSON (and the token is saved locally), so token values can appear in CLI output and potentially be exposed in chat logs or agent transcripts.
Install Mechanism
No install spec; the skill is instruction + scripts only. No external downloads or package installs are performed by the skill itself, so there is no additional install-time code-risk.
Credentials
The skill requests no environment variables or external credentials. It does create and persist a token in a local file (.token) next to the scripts and returns the token in result JSON. This is proportionate for a client that needs an API token, but users should be aware the token is stored on disk and printed to stdout (possible information exposure).
Persistence & Privilege
The skill does not request elevated platform privileges and is not marked always:true. Its only persistence is writing a local .token file for the recruiter's API token and caching it in memory — behavior consistent with an authenticated client library.
Assessment
This skill appears to do what it says: it is a simple CLI client that talks to a JobClaw API and manages tokens locally. Before installing, confirm you trust the skill source and the API endpoint (DEFAULT_API is https://api.jobclaw.ai). Important cautions: (1) the scripts accept an apiUrl override in the input — avoid supplying or accepting untrusted apiUrl values because that could redirect calls to an attacker-controlled server; (2) the auth token is saved to a .token file next to the scripts and is also included in JSON output from publish operations, so the token could be exposed in logs or chat transcripts — delete the .token file if you no longer want the token cached; (3) review and run the scripts in an isolated environment if you are unsure about the remote API. If you need higher assurance, ask the publisher for provenance (homepage, source repo, signing) or run the code through your own network/behavioral checks.Like a lobster shell, security has layers — review code before you run it.
latestvk978z0k1y2xcts2b0sdr8zt5jx8128fa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.