Job Hunter

Security checks across malware telemetry and agentic risk

Overview

This job-search skill is coherent for its purpose, but users should know it scrapes LinkedIn and stores job-search data plus an optional Gemini API key locally.

Install only if you are comfortable with the skill making LinkedIn and Gemini network requests and storing local files in ~/.openclaw/job-hunter/. Use a dedicated Gemini API key, avoid placing secrets in saved job notes, and periodically delete config.json, history.json, or saved.json if you no longer need them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill exercises network access and writes persistent local files, but does not declare corresponding permissions or clearly surface those capabilities as security-relevant behavior. This can bypass user/admin expectations and consent controls, especially because it stores configuration, history, and saved jobs under the user's home directory while also scraping external sites.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The stated purpose focuses on job search and AI scoring, but the skill also stores a Gemini API key, maintains search history, and saves bookmarked jobs locally. That mismatch is security-significant because users may disclose credentials and personal job-seeking data without realizing the skill persists them, increasing privacy and secret-handling risk.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger list is broad enough to activate on general employment-related conversation, which may cause the skill to run when the user did not intend a LinkedIn scraping workflow. Unintended invocation matters here because the skill can prompt for credentials, make network requests, and persist search-related data locally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the user to place a Gemini API key directly into a command and save it locally, but provides no warning about secret sensitivity, storage protection, shell history exposure, or file permissions. This creates a realistic risk of credential leakage through terminal history, logs, screenshots, or weakly protected config files.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The search command stores the full user-supplied params object, including free-text fields like keywords, exclude terms, locations, and ai_prompt, into a persistent history file and later exposes it through cmd_history. This can leak sensitive job-search intentions or personal/professional details to other local users, later agent actions, or anyone with access to the account or terminal output.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The save command accepts arbitrary JSON and persists it verbatim, and the saved listing command later returns the full stored objects. Because the input is not constrained to expected job fields or sanitized, any sensitive or attacker-controlled content passed to save can be retained indefinitely and re-exposed, increasing the risk of local data leakage and downstream prompt/output injection in systems that later consume this JSON.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal