Get local help for shifts and tasks (Blossomai.org)
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: blossom-hire Version: 1.0.19 The blossom-hire skill provides a structured interface for interacting with the Blossom job marketplace API (hello.blossomai.org). The SKILL.md file includes explicit security and privacy instructions for the AI agent, such as discarding user passwords immediately after registration, requiring confirmation for destructive actions, and strictly limiting data transmission to the minimum required for job-related tasks. No indicators of malicious intent, unauthorized data exfiltration, or suspicious execution patterns were identified.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key leaks or is used incorrectly, someone could potentially access or change the user's Blossom account until Blossom rotates or revokes it.
This shows the skill relies on a long-lived credential with full Blossom account authority and limited revocation controls if it is exposed or misused.
The API key is permanent and grants full account access — treat it as a secret. ... The current protocol does not expose scoped keys, expiry, or self-service revocation
Use a unique Blossom passKey, keep the API key out of shared chats/logs, and ask Blossom for scoped, expiring, or self-service-revocable credentials if available.
A confirmed mistake could post, update, delete, or submit marketplace records on the user's behalf.
The skill can perform high-impact marketplace actions, but the instructions require a user confirmation gate before each mutating request.
Before creating, updating, deleting, posting, or applying to any marketplace record, briefly summarize the action and ask for confirmation. Do not send the mutating request until the user clearly confirms.
Review each confirmation summary carefully and do not approve broad or unclear marketplace changes.
Personal and job-related information provided to the agent may be sent to Blossom to perform marketplace actions.
The skill clearly discloses an external provider data flow involving personal information and includes minimization rules.
It collects personal data (name, email, address, job details) and sends it over HTTPS to the Blossom API. ... Only send the minimum data needed for the current Blossom action.
Only provide information needed for the Blossom task and review Blossom's privacy policy before using the skill.