iHRFlow HR Assistant
v1.0.0iHRFlow HR assistant for recruiting. Use when searching candidates, managing positions, scheduling interviews, advancing pipeline, or viewing recruitment stats.
⭐ 0· 187·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (iHRFlow HR assistant) match the implemented behavior: the helper script talks to an MCP endpoint and exposes recruiting-related tools. Required binaries (curl, jq) and required env vars (MCP URL, username, password) are appropriate for an HTTP+JSON CLI client.
Instruction Scope
SKILL.md instructions only direct the agent to run the included helper script (init/login/call/resource) and to call iHRFlow MCP tools and resources. The instructions do not ask the agent to read unrelated system files, exfiltrate arbitrary data, or call unexpected endpoints beyond the configured MCP URL. Network and shell permissions are declared and expected.
Install Mechanism
No install spec; skill is instruction-only with an included shell helper script. No remote downloads or arbitrary install URLs. This is low-risk from an installer perspective.
Credentials
The skill requires IHRFLOW_MCP_URL, IHRFLOW_USERNAME, IHRFLOW_PASSWORD which are proportionate. Documentation and changelog also mention optional IHRFLOW_TENANT_ID and IHRFLOW_API_KEY (transport API key) even though only three env vars are declared as required — minor inconsistency but these optional vars are sensible. Operational note: credentials are expected to be provided via environment/config and the script will send X-API-Key and session headers if set; storing passwords in env and session IDs in files has usual risks.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes a session id to /tmp/ihrflow-mcp-session-${USER}, which is normal for a client but has typical risks: session token stored on disk, potential for race/permission issues in shared environments. No other elevated privileges requested.
Assessment
This skill appears to be what it says: an MCP client for iHRFlow using curl+jq. Before installing: (1) Verify the IHRFLOW_MCP_URL points to your trusted MCP server (don't point it to an unknown host); (2) Be aware you must provide username/password (and optionally tenant_id/API key); these are stored in your OpenClaw configuration/environment — consider using the platform vault/secrets feature rather than plain environment variables; (3) The helper stores a session id under /tmp for the current user — on multi-user hosts review permissions and remove stale session files if needed; (4) Source/homepage is not provided in the skill metadata — if you don't already trust the provider, try to obtain the upstream repository or vendor contact before use. If you want higher assurance, ask the publisher for a verifiable source (GitHub repo or vendor site) and/or audit the MCP server endpoint and its required transport API key policy.Like a lobster shell, security has layers — review code before you run it.
latestvk97dw9q5f2gxrhhr757k0ajnyd82vttb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
briefcase Clawdis
Binscurl, jq
EnvIHRFLOW_MCP_URL, IHRFLOW_USERNAME, IHRFLOW_PASSWORD
Primary envIHRFLOW_MCP_URL