Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Claw Apply
v0.1.5Automated job search and application for LinkedIn and Wellfound. Searches for matching roles every 12 hours, AI-filters and scores them, applies automaticall...
⭐ 1· 278·0 current·0 all-time
byMatthew Jackson@mattjackson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's stated purpose (search + auto-apply on LinkedIn and Wellfound) matches the contents: it uses stealth browsers (Kernel), form filling, and optional AI scoring/answer generation. However the package/registry metadata provided at the top of the submission (Required env vars: none) is inconsistent with the repository's claw.json and SKILL.md, which require KERNEL_API_KEY (required) and optionally ANTHROPIC_API_KEY. That mismatch is an incoherence that should be resolved before trusting the registry metadata. The use of Kernel (residential proxies, managed auth) and Playwright is proportionate to the stated goal.
Instruction Scope
Runtime instructions and code explicitly read your profile.json and resume path, interact with LinkedIn/Wellfound sessions via Kernel-managed auth, send job descriptions and candidate context to Anthropic/Claude for scoring and answer generation, and send/receive notifications via Telegram. These actions are consistent with the stated function but mean PII (resume, profile, job context) will be transmitted to external services (Kernel and Anthropic) if configured. The SKILL.md contains system-prompt text for Claude; a prompt-injection pattern was detected by the scanner but the skill claims these are normal system prompts used in API requests.
Install Mechanism
There is no registry install spec in the submission (the skill is instruction + repo). Install is standard: git clone + npm install, plus optional global install of Kernel CLI (npm -g @onkernel/cli). Playwright is a dependency (npm install will pull it and potentially browser artifacts). No arbitrary downloads from untrusted URLs were found in the provided files. This is typical for a Node.js project but you should be prepared for the usual npm dependency risks and large Playwright downloads.
Credentials
The code and SKILL.md legitimately require KERNEL_API_KEY (Kernel-managed stealth browser service) and optionally ANTHROPIC_API_KEY. Those are proportionate to the functionality. However the registry-level summary incorrectly listed "Required env vars: none" (incoherent with claw.json and SKILL.md). Also note personal data (resume text, profile data) is read locally and—when ANTHROPIC_API_KEY is provided—sent to Anthropic; pdftotext may be invoked (execFileSync) to extract text from PDFs if available. Requiring KERNEL_API_KEY grants the skill access to a remote service that will manage and store auth sessions for LinkedIn/Wellfound — this is expected but increases the attack surface and trust requirements.
Persistence & Privilege
No 'always: true' privilege is requested. The skill stores and updates its own local data files (data/, config/answers.json) and uses Kernel managed auth and proxies; it does not appear to modify other skills or system-wide agent settings. Cron scheduling is optional via OpenClaw; the applier supports a --preview mode so you can test before enabling autonomous runs.
Scan Findings in Context
[system-prompt-override] expected: SKILL.md and several code files include 'systemPrompt' / 'You are...' text intended for Claude/Anthropic API usage. The scanner flagged a system-prompt-override pattern in SKILL.md; in context this appears to be the normal system prompt used for the model, not an attempt to override platform prompts. Still, any embedded system prompts should be reviewed to ensure they don't contain instructions that would attempt to influence the host agent or exfiltrate data.
Assessment
This skill largely does what it says, but review these points before installing:
- Metadata mismatch: The registry summary claims no env vars, but the repo requires KERNEL_API_KEY (required) and optionally ANTHROPIC_API_KEY. Treat KERNEL_API_KEY as mandatory if you want stealth browser automation.
- Privacy / data exfiltration: If you enable ANTHROPIC_API_KEY the skill will send job text, candidate profile, and resume snippets to Anthropic (Claude) for scoring and answer generation. If you care about keeping your resume/profile private, avoid providing ANTHROPIC_API_KEY or scrub sensitive fields from profile.json.
- Kernel trust: The skill relies on Kernel (kernel.sh) for stealth browsers, managed auth connections, and residential proxies. That means login flows for LinkedIn/Wellfound are handled by Kernel; you must trust their service to store and refresh those sessions. Kernel proxy usage may have cost and privacy implications.
- Test in preview/manual mode: Use node job_applier.mjs --preview and run searches locally (job_searcher.mjs) to observe behavior before allowing automatic applies. Start with enabled_apply_types set to ['easy_apply'] and max_applications_per_run=1 while testing.
- Inspect system prompts and constants: If you are cautious, inspect lib/constants.mjs (confirm the Anthropic endpoint) and the systemPrompt strings in lib/*.mjs to ensure they only target the model and do not attempt to alter agent/platform behavior.
- pdftotext and child process: The code will try to run pdftotext on PDF resumes if present; this uses child_process.execFileSync with array args (not shell interpolation), which reduces injection risk, but you should ensure pdftotext is the expected binary.
- Source trust & license: The repo author is 'MattJackson' and license is AGPL. If you do not trust the source, run in an isolated environment or skip installing.
If you accept these trade-offs and trust Kernel/Anthropic for your use case, the code and instructions appear coherent for the stated purpose. If you do not want external model or Kernel involvement, disable ANTHROPIC_API_KEY and use 'browser.provider' = 'local' (and review settings) or do not provide KERNEL_API_KEY.Like a lobster shell, security has layers — review code before you run it.
latestvk9778a53rk3hbaqtrzankbq0js82fyxh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.