Nimrobo
WarnAudited by ClawScan on May 10, 2026.
Overview
Nimrobo is a coherent CLI integration, but it can perform high-impact hiring and organization actions with a stored API key and lacks explicit skill-level confirmation guardrails.
Before installing, verify the official Nimrobo npm package and understand that logging in stores an API key locally. If you use this skill, require the agent to ask before deleting or updating organizations/posts, changing roles, sending messages, accepting or rejecting applicants, or running batch actions. Handle transcripts, audio links, application data, and saved JSON files as confidential.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent mistake or overly broad instruction could delete organizations or posts, change member roles, send messages, or accept/reject candidates in bulk.
These commands can delete or mutate business, organization, access-control, and hiring data, including bulk application decisions, and the skill does not define explicit confirmation requirements before an agent uses them.
`nimrobo net orgs delete [orgId]` | Delete organization ... `nimrobo net orgs manage update-role [orgId] <userId>` | Update role ... `nimrobo net applications batch-action` | Batch accept/reject
Require explicit user confirmation, exact IDs, and a preview/list step before destructive, public-facing, role-changing, messaging, or batch actions.
Anyone or any agent process that can use the stored key may access or modify Nimrobo account data according to that key's privileges.
The API key is expected for the Nimrobo CLI, but it grants account-level access to both Voice and Net operations and is stored locally.
All commands require authentication via API key stored at `~/.nimrobo/config.json` ... `"API_KEY": "api_..."`
Use a dedicated, revocable, least-privilege API key where possible; protect `~/.nimrobo/config.json`; run `nimrobo logout` or revoke the key when no longer needed.
Installing the wrong or unverified package could run local code and later receive the user's Nimrobo API key.
A global npm CLI install is central to the skill, but package provenance is not captured by an install spec and the registry source/homepage are unknown.
`npm install -g @nimrobo/cli`
Verify the official Nimrobo package name and publisher before installing, and prefer a pinned version or documented official source.
Interview transcripts or summaries may be stored in local files and later exposed, reused, or committed accidentally.
The workflow shows interview transcripts being retrieved and saved locally; this is purpose-aligned but can contain sensitive candidate or participant conversation data.
`nimrobo voice sessions transcript sess_xyz -t project -p default --json > transcript.json`
Save transcripts only to intended locations, treat them as confidential hiring/interview records, and delete or restrict access when no longer needed.