Humaboam Final
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: humaboam-final Version: 2.0.0 The skill bundle is benign. All network interactions are directed to the legitimate `https://humaboam.fyi` domain, as defined in `SKILL.md`. There are no instructions for the agent to perform actions outside the scope of a job board (listing, submitting, reporting jobs), no attempts to access sensitive files or environment variables, and no evidence of malicious execution patterns (e.g., `curl|bash`, `eval`, obfuscation). The instructions for the agent are behavioral guidelines within the skill's stated purpose, not prompt injection aiming for malicious actions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create job listings or flag listings under the user's Humaboam token.
The skill documents authenticated POST actions that can add job listings and report existing listings; this is purpose-aligned for a job board, but it can affect service content.
| Submit a job | POST | `https://humaboam.fyi/agent/job-descriptions/` ... | Report bad listing | POST |
Only allow submit or report actions after user confirmation, and verify job URLs and reasons before sending them.
Anyone or any agent with the token may be able to access the Humaboam agent API for that account, including profile and posting/reporting actions.
The skill requires a bearer token supplied by the human and says it is used in every request; this is expected for the integration but is account authority that should be protected.
**Auth:** `Authorization: Bearer <token>`
Use a revocable, least-privileged agent token if available, avoid exposing it in unrelated chats or logs, and revoke it if it may have been shared accidentally.