Skillv1.0.0

ClawScan security

iHRFlow HR Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 7:18 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and required secrets are consistent with an MCP-based HR assistant; nothing in the files indicates behavior outside the stated recruiting purpose, but a few minor documentation mismatches and operational security considerations (session file in /tmp, credential handling, unknown upstream source) reduce confidence.
Guidance: This skill appears to be what it says: an MCP client for iHRFlow using curl+jq. Before installing: (1) Verify the IHRFLOW_MCP_URL points to your trusted MCP server (don't point it to an unknown host); (2) Be aware you must provide username/password (and optionally tenant_id/API key); these are stored in your OpenClaw configuration/environment — consider using the platform vault/secrets feature rather than plain environment variables; (3) The helper stores a session id under /tmp for the current user — on multi-user hosts review permissions and remove stale session files if needed; (4) Source/homepage is not provided in the skill metadata — if you don't already trust the provider, try to obtain the upstream repository or vendor contact before use. If you want higher assurance, ask the publisher for a verifiable source (GitHub repo or vendor site) and/or audit the MCP server endpoint and its required transport API key policy.

Review Dimensions

Purpose & Capability: okName/description (iHRFlow HR assistant) match the implemented behavior: the helper script talks to an MCP endpoint and exposes recruiting-related tools. Required binaries (curl, jq) and required env vars (MCP URL, username, password) are appropriate for an HTTP+JSON CLI client.
Instruction Scope: okSKILL.md instructions only direct the agent to run the included helper script (init/login/call/resource) and to call iHRFlow MCP tools and resources. The instructions do not ask the agent to read unrelated system files, exfiltrate arbitrary data, or call unexpected endpoints beyond the configured MCP URL. Network and shell permissions are declared and expected.
Install Mechanism: okNo install spec; skill is instruction-only with an included shell helper script. No remote downloads or arbitrary install URLs. This is low-risk from an installer perspective.
Credentials: noteThe skill requires IHRFLOW_MCP_URL, IHRFLOW_USERNAME, IHRFLOW_PASSWORD which are proportionate. Documentation and changelog also mention optional IHRFLOW_TENANT_ID and IHRFLOW_API_KEY (transport API key) even though only three env vars are declared as required — minor inconsistency but these optional vars are sensible. Operational note: credentials are expected to be provided via environment/config and the script will send X-API-Key and session headers if set; storing passwords in env and session IDs in files has usual risks.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It writes a session id to /tmp/ihrflow-mcp-session-${USER}, which is normal for a client but has typical risks: session token stored on disk, potential for race/permission issues in shared environments. No other elevated privileges requested.