ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Swelist

v1.0.2

retrieves recently added technology internship and new‑graduate job postings.

2· 1.8k·0 current·0 all-time
byYuan Chen@chenyuan99
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (fetch public internship/new‑grad job postings) match the requested binary ('swelist') and the declared install (PyPI package 'swelist'). No credentials, config paths, or unrelated binaries are requested.
Instruction Scope
SKILL.md confines behavior to running the swelist CLI with flags, fetching live data from public GitHub repos, writing only to STDOUT, and consuming no stdin or local files. The doc asserts 'no side effects' and 'no persistent storage' — those are reasonable expectations but cannot be verified without inspecting the installed package.
Install Mechanism
Install is via PyPI ('swelist' package) which is appropriate for a Python CLI. Installing a PyPI package executes third-party code on the host; the installer is not a direct download from an unknown URL, but the package itself is external and not included in this skill bundle.
Credentials
No environment variables, secrets, or config paths are requested. The declared requirements (Python 3.8+, internet access) are proportional to the stated task of fetching public data.
Persistence & Privilege
Skill is not always‑on and does not request elevated persistence. It is user-invocable and allows autonomous invocation per platform defaults — this is expected for automation use cases and is not by itself a red flag.
Assessment
This skill appears coherent: it calls a CLI that pulls public job postings and asks for no credentials. However the actual behavior depends on the external PyPI package 'swelist', which is not included here. Before installing or granting an agent the ability to run it, review the PyPI project page and source repository (check package files, maintainer, recent releases, and dependencies). If you plan to run it on your machine or allow autonomous agents to invoke it, prefer installing in an isolated environment (virtualenv or container), avoid running as root, and verify there are no unexpected network endpoints or credential access in the package. If you need higher assurance, request the package source or a reproducible build so you can inspect what the installed binary actually does.

Like a lobster shell, security has layers — review code before you run it.

latestvk977gt1qewzs1bp4y929vvbyq980c182

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis
Binsswelist

Install

Install swelist (uv)
Bins: swelist
uv tool install swelist

Comments