ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BDJobs Job Apply

v1.0.0

BDJobs job search, matching, applying, undoing, and salary-update automation for OpenClaw. Use when the user wants to set up BDJobs credentials/preferences,...

0· 10·0 current·0 all-time
bySazidul Alam@sazidulalam47
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the included scripts: login, search, fetch details, rank, auto-apply, undo, and salary updates. The skill legitimately needs BDJobs username/password and resume data saved under its data/ directory to operate.
!
Instruction Scope
SKILL.md instructs the agent to collect and store username/password and resume in data/userDetails.json and data/resume.md and to ensure data/loggedInData.json exists. The scripts write and read these files and also print login responses to stdout (login script console.logs loggedInData). That means authentication tokens and user credentials will be stored in plaintext in the skill workspace and may appear in agent logs or stdout, increasing the risk of accidental disclosure.
Install Mechanism
There is no install spec or external download; this is an instruction+code skill packed with scripts that run from the skill workspace. No arbitrary remote install step was found, which reduces supply-chain risk.
!
Credentials
The skill does not request environment variables, but it requires the user to provide BDJobs credentials (username/password) and stores tokens (token, refreshToken, encryptId, decodeId) in loggedInData.json. Storing and logging these sensitive values in the workspace is disproportionate from a privacy perspective unless the user accepts the risk. Also, the skill will perform network calls to several external endpoints; no unrelated credentials are requested.
Persistence & Privilege
The skill does not set always:true and does not attempt to modify other skills or global agent settings. It persists state only under its workspace data/ directory. However, spawned child processes inherit stdio and the login script prints tokens, which could expose secrets in logs—this is an operational privacy issue rather than an elevated platform privilege.
What to consider before installing
This skill appears to do what it says, but it handles real credentials and tokens in a way that can leak them: credentials are saved unencrypted in data/userDetails.json and loggedInData.json, and the login script prints authentication data to stdout (which may be stored in agent logs). Also note some endpoints used (testmongo.bdjobs.com and a run.app URL) look like test or third-party hosts rather than canonical production APIs. Before installing: (1) only use a disposable BDJobs account if you must test; (2) inspect or run the code in a sandboxed environment; (3) understand that tokens and passwords will be stored in the skill workspace and may appear in logs—clear or rotate them after use; (4) consider editing the code to avoid console.log of sensitive data and to encrypt or avoid persistent storage of credentials; (5) if you need strict privacy, do not provide primary account credentials and prefer manual application flow instead.
scripts/bdjobs-apply.js:37
Shell command execution detected (child_process).
scripts/bdjobs-undo.js:37
Shell command execution detected (child_process).
scripts/bdjobs-update-salary.js:36
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

aivk97bxnvs8e8jezateckw47bzas84hbnhapplyvk97bxnvs8e8jezateckw47bzas84hbnhautomationvk97bxnvs8e8jezateckw47bzas84hbnhbdjobsvk97bxnvs8e8jezateckw47bzas84hbnhcronvk97bxnvs8e8jezateckw47bzas84hbnhjobsvk97bxnvs8e8jezateckw47bzas84hbnhlatestvk97bxnvs8e8jezateckw47bzas84hbnhresumevk97bxnvs8e8jezateckw47bzas84hbnhsearchvk97bxnvs8e8jezateckw47bzas84hbnh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments