ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Job Hunter Gmail

v1.0.0

自动管理简历和求职信模板,记录职位投递及状态,通过 Gmail 自动发送并分类求职邮件。

0· 115·0 current·0 all-time
by@hsyhph

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hsyhph/job-hunter-gmail.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Job Hunter Gmail" (hsyhph/job-hunter-gmail) from ClawHub.
Skill page: https://clawhub.ai/hsyhph/job-hunter-gmail
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install job-hunter-gmail

ClawHub CLI

Package manager switcher

npx clawhub@latest install job-hunter-gmail
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is to send applications via Gmail. The code indeed sends mail, manages local application records, and creates Gmail labels — so capability matches purpose. However the SKILL.md and registry metadata do not consistently declare required credentials: SKILL.md lists GMAIL_API_KEY while the code expects MATON_API_KEY. The registry lists no required env vars. This mismatch (and a hard-coded API key in the code) is incoherent and unnecessary for a transparent integration.
!
Instruction Scope
SKILL.md triggers on job-related keywords and instructs automatic sending, labeling, and CCing of records. The code implements that and also sends data (email content, attachments) to a third-party gateway (gateway.maton.ai). SKILL.md refers to Gmail integration but does not disclose use of this third-party gateway or the hard-coded credential; automatic activation + external network calls expands the attack surface and is not fully transparent.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or installed by an installer. The only code is included in the bundle (scripts/send_application.py) which will run if invoked — no external install URLs or extracted archives were found.
!
Credentials
The skill metadata lists no required env vars, SKILL.md mentions GMAIL_API_KEY and other config keys, but the script actually uses MATON_API_KEY and provides a long default hard-coded value. Embedding a default API key in code is a serious red flag: it grants the included third-party service access to sent messages/attachments. The required/declared env vars are inconsistent with what code uses, and the hard-coded credential is disproportionate to a transparent Gmail integration.
Persistence & Privilege
always:false and no special OS restrictions. The skill does not request permanent platform-level presence and does not modify other skills or system-wide agent settings. Autonomous invocation by the agent is enabled (default) but not combined with other privileged flags.
Scan Findings in Context
[hardcoded-maton-api-key] unexpected: The script defines MATON_API_KEY with a long default value inside the code. A mailing/Gmail integration should not ship with a reusable secret; this may permit the bundled third‑party gateway to access emails/attachments.
[third-party-mail-gateway] unexpected: Instead of calling official Google/Gmail APIs or describing OAuth flows, the code posts to https://gateway.maton.ai/google-mail/..., a third‑party gateway. The SKILL.md mentions Gmail but does not disclose use of this gateway or any privacy/consent implications.
[env-var-name-mismatch] unexpected: SKILL.md references GMAIL_API_KEY but the script reads MATON_API_KEY and the registry lists no required env vars. This mismatch is a transparency / configuration bug that could lead users to expose credentials unintentionally.
What to consider before installing
This skill's functionality (compose and send application emails, manage local records) is coherent, but there are important red flags you should address before installing or using it: - Do not rely on the hard-coded MATON_API_KEY in the script. Treat it as a secret: remove it from code and require the user to provide their own credential (and prefer OAuth for Gmail). If you already used this code with the embedded key, consider revoking that key at the Maton/gateway service. - Verify and understand the third-party gateway (gateway.maton.ai). The script sends email content and attachments through that service; only use it if you trust that provider and their data handling. Prefer using Google's official API and OAuth flows if you want direct Gmail integration. - Fix the configuration inconsistencies: SKILL.md, registry metadata, and the code should agree on what env var is required (e.g., GMAIL_API_KEY or MATON_API_KEY) and declare it in the registry. Avoid shipping default credentials. - Review the code for how attachments are selected (resume path) so you don’t unintentionally send sensitive files. The script reads data/resume.json and local resume file paths — ensure those files contain only information you want transmitted. - If you do not trust the Maton gateway or the embedded key, do not run the send functionality. You can still use the non-network parts locally (cover letter generation, local application tracking) after removing or sandboxing network calls. If you want, I can suggest precise code changes to remove the hard-coded key, add explicit env var checks, or switch the script to use OAuth with Google's official API.

Like a lobster shell, security has layers — review code before you run it.

auto-applyvk97e29kkh2ejhj9v44307f7k7d83tn69gmailvk97e29kkh2ejhj9v44307f7k7d83tn69jobvk97e29kkh2ejhj9v44307f7k7d83tn69latestvk97e29kkh2ejhj9v44307f7k7d83tn69
115downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@hsyhph
auto-applygmailjoblatest
Download

求职自动投递技能

功能概述

自动管理求职流程,包括简历管理、求职信模板、职位平台管理、自动投递记录、Gmail 集成追踪。

触发条件

用户提到"求职"、"投简历"、"找工作"、"job"、"简历"时自动激活。

技能能力

1. 简历管理

  • 上传/更新简历 (PDF/DOCX)
  • 维护多版本简历(不同岗位方向)
  • 提取简历关键信息

2. 求职信模板

  • 创建针对不同岗位的求职信模板
  • 变量替换:姓名、职位、公司名、JD等
  • 自动生成定制化求职信

3. 职位平台管理

  • 记录投递的职位平台(BOSS直聘、拉勾、猎聘、智联招聘等)
  • 记录投递状态:已投递、待回复、已面试、已拒绝、已offer

4. 投递记录追踪

  • 记录投递时间、公司、岗位、薪资、状态
  • Gmail 标签自动分类(按公司或状态)

5. 自动投递 (通过 Gmail)

  • 使用 Gmail 发送求职邮件
  • 自动抄送投递记录到指定邮箱
  • 自动打标签分类

文件结构

job-hunter/
├── SKILL.md
├── scripts/
│   ├── send_application.py    # 发送求职邮件
│   ├── track_applications.py  # 追踪投递状态
│   └── gmail_labels.py        # Gmail 标签管理
├── templates/
│   ├── cover_letter_general.md
│   ├── cover_letter_tech.md
│   └── cover_letter_sales.md
├── data/
│   ├── resume.json            # 简历信息
│   ├── applications.json      # 投递记录
│   └── platforms.json         # 平台配置

配置项

  • GMAIL_API_KEY: Maton Gmail API Key(自动继承)
  • RESUME_PATH: 简历文件路径
  • DEFAULT_EMAIL_SIGNATURE: 默认邮件签名

使用示例

  • "帮我投个简历" → 交互式投递流程
  • "查看投递记录" → 列出所有投递
  • "更新简历" → 上传新简历
  • "生成求职信" → 创建定制求职信

Comments

Loading comments...