ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Interviewly

v1.0.0

AI-powered voice mock interview platform that analyzes job descriptions and conducts adaptive interviews with real-time feedback.

0· 27·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and openapi.json describe a coherent interview API (analyze JD, start, submit, end, download). However the package provides no server 'servers' entry in openapi.json, no homepage/source, and the registry metadata doesn't supply an API host or auth mechanism. The examples reference api.toolweb.in in prose, but that host and any required credentials are not declared — so capability is plausible but missing operational details.
Instruction Scope
The runtime instructions are limited to calling the described HTTP endpoints and handling interview/session data. They do not instruct the agent to read local files, environment variables, or unrelated system state. One minor scope note: submit-response says responses are "evaluated with Claude," which implies external model usage but is framed as server-side behaviour rather than actions the agent itself must perform.
Install Mechanism
No install spec or code is included (instruction-only). That lowers filesystem/execution risk because nothing will be written or executed locally by an installer.
!
Credentials
No environment variables or credentials are declared, yet the API appears to be a hosted service (examples include api.toolweb.in) and claims to integrate with third-party components (Claude, Redis). A production remote API would typically require a base URL and an API key/token; the absence of declared credentials or configuration is inconsistent and raises the question of how the agent authenticates and where sensitive audio/transcript data will be sent.
Persistence & Privilege
always is false, the skill is user-invocable, and there are no instructions to modify other skills or global agent configuration. The skill does not request permanent agent presence or special privileges.
What to consider before installing
This skill looks like documentation for calling a third‑party Interviewly API, but it omits crucial operational details. Before installing or using it, confirm: (1) the API host/base URL you expect the agent to call (openapi.json currently has no servers entry); (2) whether an API key or other credentials are required and where/how to provide them; (3) the data handling and privacy policy (audio, transcripts, interview content, and PDF reports may contain sensitive personal information); and (4) who operates the remote service (api.toolweb.in was mentioned in examples but the skill has no homepage or source). If you will send real interview audio or personal data, demand documented authentication, TLS/HTTPS endpoints, and a data-retention/privacy statement; otherwise treat the skill as non-functional or misconfigured until those details are provided.

Like a lobster shell, security has layers — review code before you run it.

latestvk975z0yw81n0q0e8j2w6rvb5jh842kyc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments