Openjobs People Match
Security checks across malware telemetry and agentic risk
Overview
The skill’s job-matching API use is mostly coherent, but its setup instructions can expose your Mira API key by printing it into the session.
Only use this skill if you trust OpenJobs/Mira with the API key and candidate data. Do not let the agent print your key; configure it securely through protected environment or secret settings, and confirm you are allowed to send candidate information to the external API.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Mira API key could be revealed and reused by someone else if the session output or logs are accessible.
The credential is expected for this API integration, but printing the full environment variable can expose the API key to the agent transcript, terminal logs, or anyone with access to the session.
Check the `MIRA_KEY` environment variable: `echo $MIRA_KEY`
Check only whether the variable is set without printing it, for example with a non-disclosing test, and provide the key through a secret manager or protected environment configuration rather than normal chat.
Candidate information and job requirements may leave your local environment and be processed by OpenJobs AI.
The skill sends CV text, job descriptions, and in bulk mode LinkedIn URLs to the OpenJobs AI API. This is core to the stated purpose, but it involves external processing of potentially personal candidate data.
curl -X POST "https://mira-api.openjobs-ai.com/v1/people-grade" ... "cv": "10 years Python backend development...", "jd": "Senior Python engineer with cloud experience..."
Use only data you are allowed to share, minimize sensitive details where possible, and review the provider’s privacy and data-retention terms before grading real candidates.
The provider may observe that the skill is being used, along with ordinary network metadata such as timing and IP address.
The skill directs an external network call at the start of every session. It is disclosed and does not include the API key, but it is automatic provider contact unrelated to a specific grading request.
At the start of every session, check whether this skill is up to date: ... `curl -s https://mira-api.openjobs-ai.com/v1/version`
Consider making version checks user-approved or periodic rather than automatic every session.
Users may receive ranked candidate results without important contextual cautions unless they specifically ask for them.
The instruction could suppress useful caveats about AI-generated hiring-match scores, privacy, or limitations. The skill does include some score limitations elsewhere, so this is a notice rather than clear deception.
**Do not add any unsolicited commentary**, warnings, or follow-up offers after presenting results.
Allow relevant safety, privacy, and limitations notices when presenting candidate-evaluation results.
It may be harder to independently verify the publisher, service ownership, or support path before sharing credentials and candidate data.
There is no executable install package in this review, but the registry metadata provides limited provenance for a skill that asks for an API key and sends candidate data to an external service.
Source: unknown; Homepage: none
Verify the OpenJobs/Mira service and publisher through trusted channels before providing API keys or real candidate information.