ClawHub

JobClaw

Security checks across malware telemetry and agentic risk

Overview

JobClaw mostly does what it claims, but its scheduled workflow has unsafe automatic behavior that can modify records and may mishandle job-derived data.

Review before installing. Use a virtual environment instead of allowing system-wide pip changes, keep notifications disabled unless needed, protect config.json if you store Telegram/OpenClaw credentials, and avoid enabling scheduled runs until the daily runner stops injecting job text into Python code, validates archive-check URLs, and makes dry-run truly read-only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # HEAD check for status code
        result = subprocess.run(
            ["curl", "-s", "-o", "/dev/null", "-w", "%{http_code}",
             "--max-time", "8", "--location", url],
            capture_output=True, text=True, timeout=12
Confidence
92% confidence
Finding
result = subprocess.run( ["curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", "--max-time", "8", "--location", url], capture_output=True, text=True, tim

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return False
        if 200 <= code < 400:
            # GET to check for dead phrases in body
            body_result = subprocess.run(
                ["curl", "-s", "--max-time", "8", "--location", url],
                capture_output=True, text=True, timeout=12
            )
Confidence
92% confidence
Finding
body_result = subprocess.run( ["curl", "-s", "--max-time", "8", "--location", url], capture_output=True, text=True, timeout=12 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def install_package(package: str) -> bool:
    print(f"  Installing {package}...")
    result = subprocess.run(
        [sys.executable, "-m", "pip", "install", package, "--break-system-packages"],
        capture_output=True, text=True,
    )
Confidence
92% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", package, "--break-system-packages"], capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"  ✅ {package} installed.")
        return True
    # Try without --break-system-packages
    result2 = subprocess.run(
        [sys.executable, "-m", "pip", "install", package],
        capture_output=True, text=True,
    )
Confidence
88% confidence
Finding
result2 = subprocess.run( [sys.executable, "-m", "pip", "install", package], capture_output=True, text=True, )

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script performs an automatic archival action with `archiver.py --commit`, which mutates the user's job-tracking data even though the declared skill description only mentions searching, scoring, and saving results. In an automation context triggered by cron, undisclosed state-changing behavior is security-relevant because users may lose visibility into active opportunities or have records altered without informed consent.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script sends notifications through `notify.py`/`send_summary`, but the skill metadata does not disclose any notification or messaging capability. Hidden outbound communication increases risk because a job-search skill may handle sensitive employment data, and users would not expect their search activity or job statistics to be transmitted elsewhere.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The setup wizard installs Python packages, including with --break-system-packages, which exceeds a minimal configuration role and can modify the host environment in a risky way. In a skill intended for job searching, automatic dependency installation is not inherently malicious, but it does meaningfully increase attack surface and operational risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match ordinary job-related conversation, so the skill may activate when the user did not intend to run an automation workflow with file writes, network access, or scheduled execution. In this skill's context, ambiguous activation is more dangerous because activation can lead to credential collection, persistence in local files, and external searches.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup flow collects bot tokens, chat IDs, profile details, and job preferences, then writes them to a persistent local config without warning about storage, retention, or exposure. These secrets and personal data could be accessed by other local processes, leaked through backups or logs, or reused to send unauthorized messages if the file permissions are weak.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger `top jobs` is generic enough to match ordinary conversation, which can cause the skill to activate when the user is merely asking a question rather than intending to run the command. In an agent environment, this can lead to unintended access to local job-tracker data and unexpected command execution without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The phrase `set up daily search` is broad and overlaps with normal assistant interactions about planning or advice, making accidental skill invocation plausible. Because this action may configure automation or cron-like scheduling, an unintended match could create persistent behavior the user did not explicitly authorize.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes notification configuration for Telegram and similar channels, implying transmission of job-search results and possibly profile-derived metadata to third-party services, but it does not clearly warn users about that data flow. In a job-search skill, the data may include sensitive career interests, recruiter contacts, and links to tracked applications, so silent or poorly disclosed external transmission creates a meaningful privacy and security risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script runs `archiver.py --commit` automatically in a scheduled workflow without any visible confirmation or warning at execution time. For a tool that manages job applications, silent destructive or state-changing actions can materially affect user records and decision-making, especially if archival criteria are wrong or unexpectedly broad.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
In non-interactive mode, the script installs packages automatically without an execution-time consent prompt. That makes unattended runs capable of altering the system and fetching external code, which is especially risky in automation contexts where the user may not realize package installation will occur.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The wizard collects Telegram/OpenClaw credentials and writes them into a local config.json file without warning about plaintext local storage. If that file is exposed through backups, weak permissions, multi-user systems, or accidental sharing, notification credentials can be stolen and abused.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal