ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Freelance Job Scraper

v1.0.0

Autonomous freelance job monitoring agent. Scans Hacker News Who is Hiring, YC jobs board, and remote job aggregators for high-value automation and AI gigs,...

0· 49·0 current·0 all-time
by@lanxevo3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The README/description promises scraping HN, YC jobs, and remote aggregators, but the included code (scripts/scan_jobs.py) only implements a simple HN 'Who is Hiring' search via the gh CLI. It also references files (references/hn_jobs_guide.md) that are not present. The required tooling (gh CLI) matches the code, but several claimed capabilities are not implemented.
Instruction Scope
SKILL.md asks for gh CLI auth, Python 3.6+, and 'browser or web fetch' for external boards. The Python file only calls gh to query GitHub search and prints results; it does not attempt to read other system files or environment variables. However the instructions and Quick Start imply broader scraping (YC, remoteok, weworkremotely) that the code does not perform.
Install Mechanism
No install spec and only a small Python script are provided. Nothing is downloaded or written by an installer. This low-install footprint is consistent with an instruction-only skill.
Credentials
No environment variables or credentials are declared. The script does require an authenticated gh CLI to access GitHub; that is proportional to the HN search use. No unrelated credentials or config paths are requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent/always-on privileges or modify other skills. Autonomous model invocation remains enabled by default but is not combined with broad credentials or suspicious behaviors here.
What to consider before installing
This skill is partially implemented and overpromises: it claims to monitor HN, YC, and remote job boards but the included script only queries Hacker News via the gh CLI. Before installing or running it: 1) Inspect the script locally (you already have it) — it only uses the gh CLI and prints results. 2) Be aware gh runs using your GitHub auth (ensure the token has minimal scopes you are comfortable with). 3) The script has bugs: it assumes reply_count is 0 (so it always awards 'low competition' points), and when you pass --output it actually writes an empty file because it never captures the printed report into a string. 4) If you expect YC or remote board scraping, do not rely on this package — those features are not implemented. 5) Run it in a disposable environment or inspect/patch the script to fix/report-capture and to implement or remove advertised sources before trusting production use.

Like a lobster shell, security has layers — review code before you run it.

automationvk97dttyt5x1vsgzn5rmh9fcm4x83pqhhfreelancevk97dttyt5x1vsgzn5rmh9fcm4x83pqhhhacker-newsvk97dttyt5x1vsgzn5rmh9fcm4x83pqhhjobsvk97dttyt5x1vsgzn5rmh9fcm4x83pqhhlatestvk97dttyt5x1vsgzn5rmh9fcm4x83pqhh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments