ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx ashby

v1.0.0

Access and manage Ashby ATS data including candidate profiles, job listings, and application details via API calls.

0· 79·0 current·0 all-time
byBruce Gutman@b-gutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for b-gutman/pipeworx-ashby.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx ashby" (b-gutman/pipeworx-ashby) from ClawHub.
Skill page: https://clawhub.ai/b-gutman/pipeworx-ashby
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-ashby

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-ashby
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to access/manage Ashby ATS data, but the package declares no credentials, env vars, or config paths for authenticating to Ashby. Instead it includes an opaque mcpServers gateway URL (https://gateway.pipeworx.io/ashby/mcp) without explaining who runs that gateway or how auth/authorization is handled — this mismatch is unexplained.
Instruction Scope
SKILL.md is minimal and only lists API-like operations (list/get candidates/jobs/applications) and a JSON fragment with an external gateway URL. It does not instruct the agent to read local files or other unrelated secrets, but it also omits critical runtime details (how to authenticate, expected request/response formats, or where candidate data may be sent/stored).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer — lowest-risk install mechanism. Network calls would occur at runtime, however.
!
Credentials
No environment variables or primary credential are declared despite the need to access protected ATS data (emails, resumes, contact info). Either the gateway handles auth (not documented) or the skill is missing required credential declarations — both are problematic for evaluating least-privilege and data exposure.
Persistence & Privilege
Skill is user-invocable and not forcibly always-enabled; it does not request persistent system-wide privileges. Autonomous invocation is allowed by default but not unusual; nothing indicates modification of other skills or system config.
What to consider before installing
This skill declares it will read and return sensitive ATS data but gives no details about authentication or who operates the gateway it points to. Before installing: (1) Ask the publisher for the source code or a homepage and documentation explaining authentication and data flows; (2) Confirm who controls https://gateway.pipeworx.io and whether candidate data is proxied, logged, or stored there; (3) Require the skill to declare required env vars or OAuth flows so you can provide least-privilege credentials; (4) If you must test, do so in an isolated environment with test data and monitor outbound traffic; (5) Prefer skills that document auth, scopes, and retention policies — avoid installing if the gateway/operator cannot be verified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97etyqrxgpn30zjs55zekrmw985a6tg
79downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
Bruce Gutman@b-gutman
latest
Download

Ashby

Ashby MCP Pack — wraps the Ashby ATS API

ashby_list_candidates

Search candidates in your ATS. Returns names, emails, and application metadata. Use ashby_get_candid

ashby_get_candidate

Get full candidate profile by ID. Returns contact info, resume, interview history, and current appli

ashby_list_jobs

Search open positions. Filter by status (open, closed, draft, archived). Returns job title, departme

ashby_get_job

Get full job posting by ID. Returns description, requirements, hiring stage, and applicant count.

ashby_list_applications

Search job applications across positions. Returns candidate name, applied job, application stage, an

{
  "mcpServers": {
    "ashby": {
      "url": "https://gateway.pipeworx.io/ashby/mcp"
    }
  }
}

Comments

Loading comments...