Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
boss-job
v1.2.0通过 OpenCLI 远程操作 BOSS直聘,支持职位搜索、职位详情查看、打招呼、聊天记录管理及消息发送,需Chrome登录状态。
⭐ 1· 52·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: it automates BOSS直聘 actions via OpenCLI and a Chrome login session. Requiring OpenCLI and a browser login is coherent with the stated purpose.
Instruction Scope
The SKILL.md explicitly directs installing OpenCLI, the OpenCLI Chrome extension, and an OpenCLI plugin from github:SPYQWER1/opencli-plugin-boss-job. While these steps are functionally necessary to control the site using the browser session, they empower code to access your Chrome login state (cookies/session) and act on your behalf — this is sensitive and outside the skill file itself (which contains no code).
Install Mechanism
The instructions tell the user to run 'npm install -g @jackwener/opencli' (an npm package) and to install an OpenCLI plugin from a specific GitHub repo (SPYQWER1/opencli-plugin-boss-job). Installing an extension/plugin from an unverified GitHub repo or third-party extension is higher risk because it will run code on your machine and in your browser; the skill registry entry itself contains no vetted install spec or source URL.
Credentials
The skill requests no env vars, which is appropriate, but requires access to your Chrome logged-in session and a browser extension — effectively granting access to sensitive credentials/cookies. That level of access is proportionate only if you trust the extension/plugin source; the SKILL.md gives no assurance or verification of the plugin/extension authorship.
Persistence & Privilege
Although the skill metadata does not set always:true, the recommended workflow installs a browser extension and an OpenCLI plugin which persist and can be used later. Persistent browser/extension access increases blast radius (can act on your active sessions) and should be considered a significant privilege.
What to consider before installing
This skill does what it claims (automates BOSS直聘 using your Chrome login), but it requires installing a Chrome extension and an OpenCLI plugin from a GitHub user with no homepage or source listed in the registry. Before installing: (1) verify the plugin GitHub repo (SPYQWER1/opencli-plugin-boss-job) and review its code and maintainer reputation; (2) inspect the OpenCLI Chrome extension permissions and the OpenCLI npm package (@jackwener/opencli); (3) prefer installing in a disposable browser profile or VM, not your primary account with other sensitive sessions; (4) avoid using with high-privilege or financial accounts until you trust the extension. If you cannot review the plugin/extension source or verify the author, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk97dktc4kbpqckpvkbs23bnwtd84np0x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.