Jobclaw Recruit
Security checks across malware telemetry and agentic risk
Overview
The skill mostly matches its recruiting purpose, but its token handling and unvalidated API endpoint override could expose recruiter account access.
Before installing, verify that you trust the Jobclaw service and do not use any non-default apiUrl unless you fully trust it. Treat the generated token like a password, avoid sharing tool output that includes it, and remember that the skill can publish, update, deactivate jobs, and retrieve candidate resume information.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or malicious apiUrl value could send job posting data or candidate-match requests to an unintended server.
Caller-supplied JSON can change the API destination for publish, update, delete, and match-listing operations, but this endpoint override is not described in the skill workflow.
api_url = data.pop("apiUrl", DEFAULT_API)
...
result = fn(api_url, data)Remove the apiUrl override from normal use, or strictly whitelist the expected Jobclaw API host and require explicit confirmation for any alternate endpoint.
Someone controlling the API URL could receive the recruiter token and potentially access or modify postings and view matched candidates tied to that token.
A saved bearer token is reused and sent to the configured API URL during verification. Because the scripts also accept an apiUrl override, a stored Jobclaw token could be sent to a non-default host.
TOKEN_FILE = os.path.join(os.path.dirname(os.path.abspath(__file__)), ".token")
...
saved_token = f.read().strip()
...
http_request(f"{self.api_url}/auth/verify", method="GET", token=token)Bind saved tokens to the exact trusted host, store tokens per-host, and never send an existing token to an untrusted or user-supplied endpoint.
The recruiter token can appear in chat transcripts, tool logs, or copied output, increasing the chance that account access is shared unintentionally.
The publish/update/delete/matches script adds the raw authentication token to its JSON output, although SKILL.md only states that the token is automatically saved.
result["token"] = client.token_manager.get_token() ... print(json.dumps(result, ensure_ascii=False, indent=2))
Do not print raw tokens in command output; redact or omit them and keep credential storage separate from user-visible responses.
Candidate personal information may be displayed in the chat and retained in logs or conversation history.
The skill intentionally retrieves candidate profiles and resumes from the provider API into the agent conversation for recruiting analysis.
Candidate details (name, resume, skills, experience, etc.)
Use match-viewing features only when authorized, avoid sharing outputs unnecessarily, and follow applicable candidate privacy requirements.
Installation or use may fail on systems without python3, despite the metadata saying no binaries are required.
The workflow depends on running local python3 scripts, while the registry requirements declare no required binaries. The included code uses standard library modules, so this is a disclosure/setup note rather than a standalone security concern.
cat <<EOF | python3 scripts/publish_job.py
Declare python3 as a required binary and keep the local scripts visible for review.