Humaboam Final
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create job listings or flag listings under the user's Humaboam token.
The skill documents authenticated POST actions that can add job listings and report existing listings; this is purpose-aligned for a job board, but it can affect service content.
| Submit a job | POST | `https://humaboam.fyi/agent/job-descriptions/` ... | Report bad listing | POST |
Only allow submit or report actions after user confirmation, and verify job URLs and reasons before sending them.
Anyone or any agent with the token may be able to access the Humaboam agent API for that account, including profile and posting/reporting actions.
The skill requires a bearer token supplied by the human and says it is used in every request; this is expected for the integration but is account authority that should be protected.
**Auth:** `Authorization: Bearer <token>`
Use a revocable, least-privileged agent token if available, avoid exposing it in unrelated chats or logs, and revoke it if it may have been shared accidentally.