Back to skill

Security audit

Jobwatch

Security checks across malware telemetry and agentic risk

Overview

This is a coherent job-monitoring skill, but it deserves Review because it can run persistently, use ambient OpenClaw credentials, and send job/profile-derived data to external services.

Install only if you are comfortable with a persistent job watcher storing your job-search profile and application history. Prefer the default local KB and agent notification modes if you want less data sharing. Review any use of Firecrawl, Jina, 2brain, Telegram, or api judging because those modes can send watched URLs, job descriptions, profile-derived judgments, or messages to third-party services and may reuse existing OpenClaw credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly directs the agent to use shell commands, read/write files under a workspace, access environment-backed configuration, and fetch data from network sources, yet no explicit permissions are declared. That mismatch weakens review and containment because operators may not realize the skill can persist data, access secrets-adjacent config, and perform autonomous external monitoring.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The helper functions read credentials and identifiers from host-platform files outside the skill's own directory, including OpenClaw auth and Telegram configuration. This creates cross-scope secret access: a job-monitoring skill can silently inherit tokens and chat IDs intended for the broader host environment, increasing the blast radius if the skill is compromised or behaves unexpectedly.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad natural-language phrases like 'job search', 'find jobs for me', and 'top jobs', which can match ordinary conversation and invoke an autonomous workflow unexpectedly. Because this skill can store profile data, schedule cron jobs, and send notifications, accidental activation has meaningful privacy and autonomy impact.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The onboarding flow asks for resume details, visa needs, seniority, red lines, and company targets, and stores them in local files and knowledge bases, but the skill description does not prominently warn the user that sensitive employment-profile data will be collected and retained. This creates a privacy risk because users may disclose personal and potentially sensitive information without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill enables scheduled autonomous monitoring and notifications via cron after a brief consent step, but it lacks a strong warning about the ongoing nature of monitoring, message frequency, and continued external access. In context, this is risky because the skill may repeatedly scrape job sources, persist judgments, and send alerts without the user appreciating the operational footprint.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code accesses API keys, bot tokens, and chat identifiers without any user-facing notice, consent check, or audit signal in the helper itself. Even if the feature is operationally useful, silent secret discovery makes it easy for users to be unaware that the skill is pulling credentials from ambient host configuration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code sends the target job-detail URL to Firecrawl, a third-party scraping service, which discloses the user-selected browsing target outside the local system. In a job-hunting skill, watched companies and URLs can reveal sensitive user interests, employer targets, or private/internal career pages; the file contains no in-band consent, allowlist, or disclosure mechanism before transmission.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The fallback path transmits the target URL to Jina Reader, another external service, without any visible notice or consent in this component. Because this happens automatically after Firecrawl failure, users or operators may not realize their monitored job URLs are being shared with an additional third party, increasing privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends company, title, location, URL, and scraped job-description text to a third-party LLM endpoint selected by configuration or environment variables, with no visible consent gate, minimization, or trust restriction in this file. In a job-hunting skill, this can leak user-derived context and browsing targets to external providers, especially because the endpoint may be any OpenAI-compatible service rather than a fixed vetted backend.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function uploads full document contents to a third-party remote knowledge-base API, but this file contains no consent gate, classification check, or redaction step before transmission. In a job-hunting skill, uploaded documents may include resumes, application notes, contact details, visa status, and other sensitive personal data, so silent exfiltration to an external service creates real privacy and compliance risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
User questions are sent verbatim to an external chat endpoint without any user-facing disclosure or minimization. In this skill context, users may ask about applications, immigration constraints, salary expectations, or personal profile details, so undisclosed transmission can leak sensitive personal information.

External Transmission

Medium
Category
Data Exfiltration
Content
if not key:
        raise RuntimeError("FIRECRAWL_API_KEY not set")
    resp = http_json(
        "https://api.firecrawl.dev/v1/scrape",
        method="POST",
        headers={"Authorization": f"Bearer {key}"},
        json_body={"url": url, "formats": ["markdown"], "onlyMainContent": True},
Confidence
91% confidence
Finding
https://api.firecrawl.dev/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.