Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Job-Hunter
v1.1.0AI-powered CV generator for job applications. Sets up automated job search with CareerForge CLI, manages master resume creation, configures filtering criteri...
⭐ 0· 947·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described purpose (master resume, filters, job search, CV generation) matches the provided scripts and docs. However the skill references external integrations (Google Gemini API, Telegram messaging) that are not declared in the registry metadata (no required env vars listed). Also SKILL.md references a job_search.py and a careerforge CLI repository; job_search.py is mentioned but not present in the file manifest, which is an incoherence.
Instruction Scope
Runtime instructions ask you to git clone and run npm install for a third‑party repo, configure an LLM API key (GEMINI_API_KEY), and set up hourly cron-style job searches that send listings to a Telegram group. The documentation never explains how Telegram delivery is configured (no token, no webhook, no bot setup). The skill also suggests cloning into /root/.openclaw/workspace (a privileged path) — assumptions about paths and persistence are not explicitly justified.
Install Mechanism
There is no formal install spec (instruction-only), but the SKILL.md and scripts instruct executing 'git clone' from GitHub and 'npm install', which will run third-party JS code and may pull Playwright browser binaries (noted in docs). Cloning and running unreviewed code from an external repo is a moderate-to-high risk unless you inspect it first. The repo URL is a direct GitHub URL (better than a raw IP/shortener) but still executes remote code.
Credentials
The registry lists no required env vars, but multiple files explicitly reference GEMINI_API_KEY and expect an LLM provider key. The skill also claims to send messages to Telegram but does not request or document any Telegram bot token or TELEGRAM_CHAT_ID/TELEGRAM_TOKEN environment variables. That is a clear mismatch: credentials necessary for core functionality are not declared.
Persistence & Privilege
The skill is not marked always:true and does not autonomously declare model privileges, but it instructs creating scheduled jobs (cron) that run hourly and send data externally (Telegram). Creating persistent scheduled tasks and running third‑party code increases persistence and blast radius; user consent and controlled execution environment are recommended.
What to consider before installing
Before installing or running this skill: 1) Verify and inspect the GitHub repo (https://github.com/alon-mini/CareerForge-cli) and any JS files (especially generate_cv_from_json.js and any networking code). 2) Do not run npm install or clone into system root without reviewing the code; consider a disposable container or VM. 3) The skill requires a Gemini API key (GEMINI_API_KEY) — the registry metadata failed to declare this; only set it if you trust the code. 4) The skill claims to send job postings to Telegram but provides no setup details or required Telegram credentials — ask the author how Telegram is configured and what credentials are used. 5) The manifest references job_search.py but that file is not included; ask for the missing files or proof of what will run. 6) If you proceed, avoid running as root, limit network access if possible, and review Playwright/browser installation steps (they download browser binaries). If you are not comfortable auditing the external repo, do not run the scripts or grant API keys.Like a lobster shell, security has layers — review code before you run it.
latestvk97e1mat78ypm680snhnkjx6sx81m83c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.