ClawHub
Back to skill
v1.0.0

Indeed Monitor

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:31 AM.

Analysis

The skill largely matches its stated lead-scraping purpose, but it deserves review because it drives a local Chrome profile/session and relies on undeclared local helper tools.

GuidanceReview before installing. If you use it, run the browser version with an isolated Chrome profile or logged-out relay, verify the local scrapling/openclaw helpers, and only use --save after checking the generated leads.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
monitor.py
SCRAPLING_SCRIPT = "/Users/wlc-studio/StudioBrain/00_SYSTEM/skills/scrapling/scrape.py" ... subprocess.run(["python3", SCRAPLING_SCRIPT, "web", url]

The fallback scraper executes a separate local Scrapling helper outside this skill's manifest. That dependency is purpose-aligned but not included in the reviewed package.

User impactActual behavior depends on local helper code that was not part of this artifact set, so the user must trust and maintain that separate tool as well.
RecommendationVerify the local scrapling helper and OpenClaw browser tooling before running, and prefer packaging or declaring these dependencies explicitly.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
monitor_browser.py
["openclaw", "browser", "navigate", "--url", url, "--profile", "chrome"] ... ["openclaw", "browser", "snapshot", "--profile", "chrome", "--compact"]

The browser version navigates and snapshots pages using the Chrome profile. That may use the user's existing browser session or account state, but the artifacts do not clearly bound or isolate that profile access.

User impactThe skill could read content rendered in a logged-in Chrome/Indeed session and save or print account-specific page content, even though its purpose is only public job monitoring.
RecommendationRun it only with an isolated browser profile or non-logged-in browser relay, and declare/review the browser-profile permission before use.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
monitor_browser.py
with open(LEADS_FILE, "a") as f: ... f.write(f"| {lead['company']} | {lead['title']} | {lead['location']} | {signals} |\n")

When --save is used, scraped page-derived text is appended to a persistent Markdown lead list.

User impactIncorrect or adversarial text from job postings could become part of a persistent lead list and be reused later without context.
RecommendationReview saved leads, escape or sanitize Markdown table fields, and use --save only when the output looks trustworthy.