Skills for finding a job on hh
Security checks across malware telemetry and agentic risk
Overview
The skill is mostly coherent for job search, but it can automate logged-in hh.ru account actions such as applying and raising resumes, and that sensitive browser-session authority is not clearly declared or tightly bounded.
Review this skill before installing. It is not showing exfiltration or destructive behavior, but it can perform real actions in a logged-in hh.ru browser session. Use a dedicated browser profile, confirm the active tab is hh.ru, set strict auto-apply limits, and explicitly decide whether post-apply resume raising is allowed.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill can act as the user in the attached browser session, including applying to jobs or changing resume visibility on hh.ru.
The helper operates through a named local browser profile, meaning it can use the user's existing logged-in hh.ru browser session rather than a narrowly scoped API token.
cmd = [OPENCLAW_BIN, "browser", "--browser-profile", self.profile, "--timeout", str(self.timeout_ms), "--json", *args]
Use only with a dedicated browser profile logged into the intended hh.ru account, review requested actions before running, and avoid attaching a browser profile that contains unrelated accounts.
If the browser is currently on the wrong site, the script could navigate and click apply-like buttons on an unintended origin.
The HH apply script rewrites supplied vacancy URLs to the origin of the current browser tab instead of validating that the destination is hh.ru, so browser automation is not tightly constrained to the stated service.
origin = str(current.get("origin") or "https://hh.ru")
...
normalized = re.sub(r"^https?://[^/]+", origin, url)Before use, ensure the browser tab is on hh.ru, and the script should validate allowed hosts such as hh.ru instead of deriving the origin from the active tab.
The agent may submit real job applications on the user's behalf when auto-apply is enabled.
The skill explicitly supports automatic job application submission, which is sensitive account mutation, but the documented mode requires explicit user permission and logging.
Controlled auto-apply Use only when the user explicitly allows automatic submission. - Apply only to strong-match vacancies. - Respect per-source limits. - Log every submission.
Only enable auto-apply after setting strict criteria, per-source limits, and confirming which vacancies are eligible.
Applying to a job may also cause one or more active resumes to be raised in hh.ru search unless the user opts out.
The skill discloses a default follow-up action that changes resume search visibility after an application, which is related to job search but affects the user's hh.ru account state.
After a verified hh apply, immediately refresh the resumes page and raise all relevant active resumes that are available, unless the user explicitly disables that post-apply raise step.
Tell the agent whether post-apply resume raising is allowed, and disable it if you do not want resume visibility changed automatically.
The skill may fail or require extra local setup not visible in the registry requirements.
The metadata under-declares runtime needs despite bundled scripts using the OpenClaw browser CLI and Python packages, which can make installation and review expectations unclear.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Check the bundled scripts and requirements before use, and install only expected dependencies such as pydantic and rapidfuzz in a controlled environment.
Personal job-search data may persist in the workspace and be reused in later tasks.
The workflow intentionally stores candidate profile, shortlist, applications, logs, and pipeline state in project files, which may include personal career and contact information.
Save the shortlist and application state in durable workspace files.
Keep the project folder private, avoid adding unnecessary personal details, and periodically review or delete old logs and exports.