Jobclaw Recruit

The skill bundle is classified as suspicious due to a prompt injection vulnerability identified in `SKILL.md`. The instructions guide the AI agent to construct JSON payloads for `scripts/publish_job.py` and `scripts/get_profile.py` by directly embedding user input. A malicious user could craft input containing valid JSON fragments that override critical parameters like 'action' or 'jobId', leading the agent to execute unintended API calls (e.g., deleting a job instead of publishing one, or accessing data for an arbitrary job ID if authorization allows). While this is a significant vulnerability, the Python scripts themselves do not exhibit malicious behavior such as data exfiltration to external domains, arbitrary code execution, or persistence mechanisms. They interact solely with the legitimate `https://api.jobclaw.ai` endpoint and store tokens locally within the skill's directory.