ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

job-poster

v1.0.0

Post job listings

0· 46·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description say 'Post job listings', which is reasonable, but the SKILL.md expects a python script (scripts/job_poster.py) to exist and to use an API key. The published package contains only SKILL.md and no code or declared credentials, so the skill cannot perform its stated purpose as bundled.
!
Instruction Scope
Runtime instructions explicitly tell the agent to run `python3 scripts/job_poster.py` and to set JOB_API_KEY. Those commands reference files and an environment variable that are not present in the package metadata or file manifest. This is an incoherent/incomplete instruction set.
Install Mechanism
There is no install spec and no binaries are pulled in. That is low-risk, but also means the skill relies on external code that is not included.
!
Credentials
SKILL.md asks the user to export JOB_API_KEY, but the skill metadata lists no required environment variables or primary credential. Requesting an API key for a job-posting service is plausible, but the omission in metadata is inconsistent and could lead users to supply credentials without clear justification.
Persistence & Privilege
The skill does not request elevated or persistent privileges; always is false and there are no config-path or system modifications declared.
What to consider before installing
This package is incomplete: it only contains instructions but not the referenced script or a declared API credential. Do not supply any real API keys or run unreviewed scripts from this skill. Ask the publisher for the missing files (scripts/job_poster.py) and an explanation of what JOB_API_KEY is used for, or obtain the official implementation from a trusted source. If you must test, do so in an isolated sandbox with dummy credentials and inspect the actual code before running.

Like a lobster shell, security has layers — review code before you run it.

latestvk974r6f6p8xh5zqttakzvbx55983qaby

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments