Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jobs Market Intelligence
v1.0.0Provides job market insights by tracking postings, skills demand, salary benchmarks, hiring trends, and competitor activity from public job boards via Apify.
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md: the skill is designed to collect and analyze publicly posted job listings via Apify. That capability legitimately explains the described features (skill demand, salary benchmarks, hiring trends). However, the manifest declares no primary credential or required env vars even though the SKILL.md explicitly instructs the user to create an Apify account and obtain an API token. This is an incoherence between claimed capability and declared requirements.
Instruction Scope
The SKILL.md instructions (as provided) stay on-scope: they describe using Apify actors to collect publicly listed job postings and then analyzing that data. There are no visible instructions to read unrelated local files, harvest unrelated credentials, or send data to third-party endpoints other than Apify. (The file is truncated in the bundle; full SKILL.md should be checked to confirm there are no unexpected steps.)
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes the attack surface. Nothing in the manifest attempts to download or install software.
Credentials
The SKILL.md instructs users to get an Apify API token and describes using Apify actors, but the skill metadata lists no required env vars or primary credential. That mismatch is concerning: the agent will need an API token to operate via Apify, so the skill either (a) expects the user to paste the token into chat at runtime (not declared), or (b) omits declaring a required environment variable. Either case is an incoherence that affects security (an API token grants actions via your Apify account).
Persistence & Privilege
The skill is not marked always:true and does not request persistent system privileges. Autonomous invocation is allowed (the platform default), which is reasonable for a data-collection/analysis skill. No evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to be what it says (job-market research using Apify) but it fails to declare the Apify API token or other credentials in its metadata. Before installing or using it:
- Confirm how the agent will obtain your Apify API token. Prefer supplying a short-lived or limited-scope token and avoid pasting long-lived master tokens into chat. Ask the developer to declare a required env var (e.g., APIFY_TOKEN) so the credential handling is explicit.
- Create a dedicated Apify account for this skill with minimal permissions and billing limits, rather than using your primary account.
- Review the specific Apify actors the skill recommends before running them; ensure they only collect public postings and do not require site credentials or breach terms of service.
- Because the SKILL.md was truncated in the provided bundle, ask for the full instructions and confirm there are no steps that request unrelated system files, keys, or long-term data storage.
If the developer updates the manifest to explicitly require and document APIFY_TOKEN (and clarifies how tokens are stored/used), the incoherence will be resolved and the risk assessment should be revisited.Like a lobster shell, security has layers — review code before you run it.
latestvk973m928gd1m5zbyzqrxqnp9h184k6gk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.