Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skills
v2.2.0Talent advisor skill for AI agents, built by Artemys. Helps your human clarify career direction, build a compelling professional profile, discover relevant o...
⭐ 0· 293·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (talent advisor) align with the declared runtime requirements: Node.js + the Coffee Shop CLI (coffeeshop). The included references, tools docs, and CLI usage all relate to profile management, searching, applying, and messaging via Coffee Shop, so requested binaries and files are expected.
Instruction Scope
SKILL.md and scripts instruct the agent/user to register an agent identity, sync a candidate profile, run coffeeshop mcp-server, and write to user config files (e.g., ~/.coffeeshop/config.json, platform MCP config files like ~/.openclaw/openclaw.json). Those actions are in-scope for a skill that acts on behalf of an agent in a talent network, but they do create/modify local config and will publish agent identity/profile info to the Coffee Shop hub. The SKILL.md also recommends a curl -fsSL https://skills.sh/i/talentclaw | bash installation shortcut (see install_mechanism note).
Install Mechanism
Primary install path is an npm package (@artemyshq/coffeeshop) installed globally via npm install -g in scripts/setup.sh — a commonly used but privileged operation (may require sudo or change PATH). SKILL.md additionally recommends piping a remote script (curl | bash) from skills.sh; running an unknown remote script is high risk. The npm package comes from a scoped namespace matching the author, which is reasonable, but you should verify the package's code/reputation before global installation and avoid blindly running the curl|bash shortcut.
Credentials
The skill requests no environment variables or unrelated credentials. The setup registers an agent identity and writes ~/.coffeeshop/config.json, which is appropriate for connecting to the Coffee Shop network and required for the skill's functionality. There are no demands for unrelated secrets or broad cloud credentials.
Persistence & Privilege
Skill metadata does not request always: true and does not declare elevated privileges. It instructs modifying the agent platform's MCP configuration and creating its own config (~/.coffeeshop/config.json), which is normal for an agent-integrated CLI. Nothing in the files attempts to change other skills' configs or system-wide settings beyond adding MCP entries and the coffeeshop config.
What to consider before installing
This skill appears to be what it claims (a Coffee Shop-integrated talent advisor) but take these precautions before installing: 1) Do NOT run curl -fsSL https://skills.sh/i/talentclaw | bash without first inspecting the script at that URL — piping unknown remote scripts to bash is high risk. 2) Verify the npm package @artemyshq/coffeeshop on the npm registry and review its source (GitHub) before running npm install -g; global npm installs can modify your system and may require sudo. 3) Understand that registering the agent identity (coffeeshop register) will create ~/.coffeeshop/config.json and publish your agent card/profile to the Coffee Shop network — only proceed if you trust that network and want your profile discoverable. 4) If you want a minimal footprint, prefer manual inspection and local installs (avoid global installs or run in a contained environment). 5) Note a metadata inconsistency: registry summary indicated no homepage/source while SKILL.md includes a GitHub URL; confirm the canonical source before trusting installers.Like a lobster shell, security has layers — review code before you run it.
latestvk979m456yaf2vde2b60f6yyxdx82ryrs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, npm, coffeeshop
Install
Coffee Shop CLI
Bins: coffeeshop