Freelance Job Scraper
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill looks like a simple job-report script, but it asks to use an authenticated GitHub CLI for public job scraping without declaring that credential and it overstates which job sources it actually scans.
Review carefully before installing. If you run it, understand that it may use your local authenticated GitHub CLI; consider using a low-scope account/token or changing the script to avoid GitHub auth. Also do not rely on it for YC, RemoteOK, or WeWorkRemotely coverage unless those scanners are added.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the script may use the user's GitHub login/token for a task where the need for GitHub account authority is unclear.
The skill asks for an authenticated GitHub CLI even though the stated target data is public HN and job-board content, and registry metadata declares no primary credential.
- `gh` CLI authenticated (for HN comments/jobs access)
Declare the GitHub credential requirement explicitly, explain why it is needed, and limit use to read-only/public endpoints or remove the authentication dependency if possible.
Users may install or invoke the skill without realizing it expects a local authenticated GitHub CLI.
This registry contract conflicts with SKILL.md's prerequisite for an authenticated `gh` CLI, so installers and users may not get an accurate dependency/credential warning.
Required binaries (all must exist): none ... Primary credential: none
Update metadata to declare the `gh` binary and any credential expectations, or revise the skill to avoid that dependency.
Users could overtrust the generated report as covering multiple job boards when it only covers the implemented source.
The implementation only invokes the HN scan path, while SKILL.md advertises monitoring YC jobs, RemoteOK, and WeWorkRemotely.
hn_jobs = scan_hn_jobs()
all_jobs = sorted(hn_jobs, key=lambda x: x["score"], reverse=True)Align the description with the actual implementation or add the missing source scanners before presenting the digest as multi-source coverage.