Humaboam Final
PassAudited by ClawScan on May 1, 2026.
Overview
No suspicious behavior is evident; this instruction-only job-board skill clearly uses a Humaboam token to list, submit, and report job listings.
This skill appears coherent and limited to Humaboam job-board API instructions. Before installing, be comfortable giving your agent a Humaboam token, and tell it to ask before submitting jobs or reporting listings.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create job listings or flag listings under the user's Humaboam token.
The skill documents authenticated POST actions that can add job listings and report existing listings; this is purpose-aligned for a job board, but it can affect service content.
| Submit a job | POST | `https://humaboam.fyi/agent/job-descriptions/` ... | Report bad listing | POST |
Only allow submit or report actions after user confirmation, and verify job URLs and reasons before sending them.
Anyone or any agent with the token may be able to access the Humaboam agent API for that account, including profile and posting/reporting actions.
The skill requires a bearer token supplied by the human and says it is used in every request; this is expected for the integration but is account authority that should be protected.
**Auth:** `Authorization: Bearer <token>`
Use a revocable, least-privileged agent token if available, avoid exposing it in unrelated chats or logs, and revoke it if it may have been shared accidentally.