Get local help for shifts and tasks (Blossomai.org)
SuspiciousAudited by ClawScan on May 13, 2026.
Overview
The skill is aligned with a jobs marketplace, but it creates or uses a permanent full-access Blossom API key and can change marketplace records, so it needs careful review before use.
Install only if you are comfortable sharing the needed personal/job information with Blossom and letting the agent use a permanent full-access Blossom account key. Use a unique passKey, review every confirmation before posting/applying/updating/deleting, and contact Blossom immediately if the key may have been exposed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key leaks or is used incorrectly, someone could potentially access or change the user's Blossom account until Blossom rotates or revokes it.
This shows the skill relies on a long-lived credential with full Blossom account authority and limited revocation controls if it is exposed or misused.
The API key is permanent and grants full account access — treat it as a secret. ... The current protocol does not expose scoped keys, expiry, or self-service revocation
Use a unique Blossom passKey, keep the API key out of shared chats/logs, and ask Blossom for scoped, expiring, or self-service-revocable credentials if available.
A confirmed mistake could post, update, delete, or submit marketplace records on the user's behalf.
The skill can perform high-impact marketplace actions, but the instructions require a user confirmation gate before each mutating request.
Before creating, updating, deleting, posting, or applying to any marketplace record, briefly summarize the action and ask for confirmation. Do not send the mutating request until the user clearly confirms.
Review each confirmation summary carefully and do not approve broad or unclear marketplace changes.
Personal and job-related information provided to the agent may be sent to Blossom to perform marketplace actions.
The skill clearly discloses an external provider data flow involving personal information and includes minimization rules.
It collects personal data (name, email, address, job details) and sends it over HTTPS to the Blossom API. ... Only send the minimum data needed for the current Blossom action.
Only provide information needed for the Blossom task and review Blossom's privacy policy before using the skill.