ClawHub

Claw Apply

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent job-application automation tool, but it can automatically submit real applications and send sensitive profile data to external services with limited safeguards.

Install only if you are comfortable with a tool that can use your authenticated LinkedIn/Wellfound sessions to submit applications and share profile or resume-derived data with Anthropic, Telegram, Kernel, and job sites. Start with preview mode, keep the applier cron disabled until reviewed, set max_applications_per_run conservatively, avoid running debug/test scripts against real accounts, and treat local logs and answers.json as sensitive personal data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (25)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script explicitly claims to be a 'DRY RUN' but still opens the LinkedIn Easy Apply flow, fills form fields, and clicks 'Next'/'Review' to advance the application. That mismatch is dangerous because operators may trust it as non-invasive while it performs real state-changing actions on a live account, potentially submitting data, uploading a resume, or progressing an application farther than intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes fully automated job application submission, including unattended scheduling and autonomous retries, but does not warn about the risk of unintended or irreversible submissions. In this context, accidental applications, submissions with stale profile data, or mass submission behavior can have real-world consequences such as reputational harm, account restrictions, or sending inaccurate personal information to employers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README states that the system sends profile, resume-derived context, and application-question data to Claude/Anthropic for filtering and answer suggestion, but it does not provide a clear privacy or data-handling warning. Because this data can include sensitive personal and employment information, users may unknowingly transmit PII to a third party without understanding retention, exposure, or compliance implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly describes fully autonomous job applications, form filling, and submission to third-party platforms, but it does not present a prominent upfront warning about the privacy, consent, and account-risk implications before users enable automation. Because the workflow can transmit resumes, contact information, work authorization, salary targets, and learned answers to external sites and AI services, insufficient warning and consent framing materially increases the chance of unintended data disclosure or unauthorized submissions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest explicitly advertises automated job applications using stealth browsers, which are impactful external actions that can submit data and interact with third-party services on the user's behalf. Without any warning, consent language, or safety constraints in the manifest, users may enable a skill that performs consequential actions unexpectedly, increasing risk of account misuse, platform policy violations, and unintended submissions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest requires or supports sensitive credentials including API keys and Telegram messaging configuration, but provides no warning about credential handling, storage, or transmission to external services. In a skill that also has network, browser, filesystem, and messaging permissions, this omission materially increases the chance that secrets or personal job-application data could be exposed, misrouted, or sent to third parties without informed user understanding.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script drives a real browser to a live LinkedIn job application URL and automatically clicks through the application flow without any explicit user confirmation, environment gating, or sandboxing. Even though it appears framed as debugging, it performs state-changing actions against a real third-party service and could unintentionally submit application data, alter user-facing account state, or violate platform expectations if run with authenticated session cookies.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code globally tees all stdout/stderr to a persistent local log file, and this script prints sensitive workflow data including job titles, companies, unknown application questions, AI-generated answers, stack traces, and status details. In a job application automation context, that creates a real confidentiality risk because personal application content and potentially sensitive prompts/responses are retained in cleartext on disk without minimization or redaction.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script tees all stdout/stderr into a local log file and also persists run metadata to JSON history files. Because these outputs can include job search terms, platform activity, errors, and potentially sensitive operational context, they create a privacy and data-retention risk if local files are accessible to other users, backups, or support tooling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script uses API credentials and sends outbound data to third parties: AI keyword generation via an Anthropic API key and Telegram notifications containing run summaries. In an agent-skill context, silent external transmission is security-relevant because users may not expect search-derived metadata or profile-derived prompts to leave the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function assembles a detailed candidate summary containing personal and potentially sensitive employment data, including resume contents, location, salary, work authorization, LinkedIn URL, and cover letter text, then sends it to Anthropic's external API. There is no evidence in this file of explicit user consent, data minimization, redaction, or disclosure, so this creates a real privacy and compliance risk if users do not understand or approve that their personal data is being transmitted off-system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This function silently creates and uses remote proxy and browser resources, which can route traffic through third-party infrastructure and incur cost or compliance exposure without explicit user awareness. In an agent skill context, hidden network-backed actions are more dangerous because they can exfiltrate browsing activity, alter the apparent source of traffic, and surprise operators who expected only local browser automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends candidate profile data, target job profile data, and job listing content to Anthropic's Batch API, which is a third-party service. Even if this is functionally required, the absence of any user-facing notice, consent mechanism, or data-minimization control in this flow creates a real privacy and data-governance risk, especially if profiles contain sensitive personal or employment information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends candidate PII and application context, including name, location, years of experience, job target, and previously answered questions, to an external AI endpoint whenever apiKey is present. In a job-application skill, this is especially sensitive because answers may contain personal, employment, or protected-category information, and there is no consent gate, minimization, or visible disclosure here.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The module persistently writes newly learned answers to answersPath on disk without any visible notice, approval, retention policy, or sensitivity filtering. In this skill's context, saved answers can accumulate personal or sensitive application responses over time, creating a local privacy and data-exposure risk if the file is shared, synced, or accessed by other processes/users.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function sends a detailed candidate profile, including name, location, salary expectations, work authorization, relocation preference, and background summary, to a third-party LLM API. In a job-search skill this may be functionally intended, but without explicit consent boundaries, data minimization, or disclosure, it creates a privacy and compliance risk because sensitive personal/employment data is transferred off-platform and could be logged, retained, or mishandled by the external provider.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
When run with --telegram, the script sends aggregated status data to an external service without any confirmation, warning, or in-file disclosure of what information leaves the local environment. In an agent skill context, this is more concerning because queue contents and last-applied metadata may include sensitive job-search information, and the exfiltration path is triggered by a simple CLI flag.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script is designed to automate LinkedIn job applications and uses a simple command-line flag (--submit) to enable an irreversible action with no secondary confirmation, preview, or safety interlock. In this context, accidental execution could submit inaccurate, undesired, or policy-violating applications at scale, causing reputational and account risk for the user.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script automatically opens a live LinkedIn Easy Apply flow and programmatically advances through application steps without any user-facing confirmation, dry-run guard, or environment restriction. Even though it appears to be test/debug code for inspecting fields, running it against a real application endpoint can trigger unintended interactions with a third-party service, alter application state, or submit user data under an authenticated session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script launches a browser session and executes an automated LinkedIn easy-apply workflow against a live job posting with no interactive confirmation, dry-run mode, or explicit safety warning. In the context of an agent skill, that means running the file can trigger real external actions on a third-party service using the user's authenticated session, causing unintended submissions, account misuse, or platform-policy violations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script logs a detailed snapshot of form inputs, textareas, fieldsets, selects, and checkboxes from a live LinkedIn Easy Apply modal. Those structures can contain sensitive personal or employment data derived from the user's profile or application answers, and writing them to stdout can expose that data to local logs, CI systems, terminals, shell history capture, or monitoring tools without any consent or redaction.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script automatically opens a live LinkedIn job application flow and waits for the Easy Apply modal without any interactive confirmation, dry-run mode, or user-facing disclosure. In an agent or automation context, this can trigger unintended interactions with a real application workflow, increasing the risk of accidental submissions, state changes, or disclosure of profile data to a third-party site.

Ssd 3

Medium
Confidence
98% confidence
Finding
This finding is confirmed by the explicit monkey-patching of process.stdout.write and process.stderr.write to write every console message into data/applier.log. Because later code logs AI answers, user-facing application questions, company/title details, and errors, the log becomes a durable plaintext record of sensitive application and model-generated content that could be exposed to other local users, backups, or incident responders.

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@onkernel/sdk": "^0.15.0",
    "playwright": "^1.40.0"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
95% confidence
Finding
"playwright": "^1.40.0"

Known Vulnerable Dependency: playwright==1.40.0 — 1 advisory(ies): CVE-2025-59288 (Playwright downloads and installs browsers without verifying the authenticity of)

High
Category
Supply Chain
Confidence
98% confidence
Finding
playwright==1.40.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal