Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jobs Hunter Claw
v1.4.0Automate job discovery, application submission, status tracking, and activity logging using Google Sheets as the central data store for your job hunt.
⭐ 0· 135·0 current·0 all-time
byABFS Tech@quantdeveloperusa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a Google Sheets-based job tracker (discover → apply → track), which legitimately needs Google Sheets access and a spreadsheet ID. However the registry metadata lists no required env vars or binaries while SKILL.md and the shipped scripts clearly require the gog CLI, bash, and an environment variable JOB_TRACKER_SPREADSHEET_ID. This mismatch means the declared registry requirements are incomplete.
Instruction Scope
SKILL.md includes instructions for cron jobs that say the agent should 'scan email for job-related messages' and 'check calendar', yet the shipped code (shell script + Apps Script) only implements Sheets CRUD operations; there is no explicit code to perform email/calendar scans or guidance on what credentials/services are required for those actions. The instructions also tell agents to set the spreadsheet ID via environment or TOOLS.md and to post to external channels (Discord channel IDs) in cron tasks — actions that involve access to email, calendar, and external channels but these accesses are not declared or implemented in the included code.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md offers installation via ClawHub or git clone and suggests installing gog via Homebrew (steipete/tap). The included files are plain scripts and Apps Script; there are no downloads from unknown hosts. This is moderate risk because the skill expects you to run scripts and install third-party CLI (gog) from a tap — verify the source of that tap and the ClawHub/GitHub repositories before installing.
Credentials
The runtime clearly needs JOB_TRACKER_SPREADSHEET_ID and Google authentication credentials (gog auth with client_secret.json or service account), but the registry metadata lists no required env vars or primary credential. The scripts also reference posting to channels (cron examples use Discord channel IDs) and suggest scanning email/calendar — these would require additional credentials (Gmail, Calendar, or bot tokens) that are not declared. Requesting undeclared secrets or granting broad Google/Gmail access would be disproportionate without clear justification.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. However SKILL.md encourages setting up cron jobs and agent-level environment configuration and suggests posting to external channels; if you enable cron/email scanning and give the agent Gmail/Calendar or Discord posting rights, the operational blast radius increases. Autonomous invocation is allowed by default — combine that with undeclared credentials and cron tasks only if you trust the skill.
What to consider before installing
Do not install or run cron tasks until the following are clarified and validated: (1) Ask the publisher to correct registry metadata to list required binaries (gog, bash) and required env vars (at minimum JOB_TRACKER_SPREADSHEET_ID) and to declare any additional credentials (Gmail/Calendar/Discord tokens) needed for email scans or channel posting. (2) Inspect the included scripts yourself — they manipulate your Sheets using the gog CLI and will require gog-authenticated access; verify the gog Homebrew tap and the GitHub/ClawHub repo URLs are legitimate. (3) Avoid granting Gmail/Calendar or bot posting tokens unless absolutely necessary; if you must, use a dedicated service account with minimal scopes and share only the spreadsheet with that account. (4) If you plan to run cron/email scanning, restrict the agent's permissions, run it in an isolated workspace, and review logs regularly. If the publisher cannot justify or correct the missing declarations, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97eqc59tssjyewf3bncr0shyn837tjz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.