ClawHub
Back to skill
v1.0.1

Openjobs People Search

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:52 AM.

Analysis

The skill is coherent for recruiting searches, but its setup instructions can expose the Mira API key by printing it during the credential check.

GuidanceInstall only if you trust OpenJobs AI with recruiting queries and candidate lookups. Before using it, set MIRA_KEY securely and avoid running commands that print the key value; ask the agent to confirm only whether the key is present.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Unlock candidate contact info by LinkedIn URL (1–50 URLs) ... Returns `personEmail` and `workEmail` for each URL ... Each URL consumes 1 quota point.

The contact-unlock operation is part of the stated recruiting purpose and is disclosed, but it retrieves personal contact information and spends account quota.

User impactUsing this feature can reveal candidate email addresses and consume paid or limited OpenJobs AI quota.
RecommendationUse contact unlock only when the user explicitly wants it, and handle returned email addresses according to applicable privacy and recruiting policies.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Check the `MIRA_KEY` environment variable: `echo $MIRA_KEY` ... ask them to provide it, then set it as an environment variable: `export MIRA_KEY="mira_your_key_here"`

The API key is expected for this service, but using `echo $MIRA_KEY` prints the secret into terminal/tool output, where it may be captured in the agent context or logs.

User impactA leaked Mira API key could let someone else use the user's OpenJobs AI account or consume its quota.
RecommendationConfigure MIRA_KEY through a secret manager or environment configuration and check only whether it is set, not its value.