Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Job Search Agent
v1.0.0AI-powered job search assistant that searches multiple job boards, matches opportunities against your CV, and helps you apply faster.
⭐ 0· 100·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims multi-site search, CV matching, and auto-apply to LinkedIn/Indeed/Glassdoor, but the package declares no credentials, no config paths, and no instructions for authenticating to those services. It is unclear how it would legitimately perform auto-apply or account-specific actions without access to user accounts or an API.
Instruction Scope
The SKILL.md contains only high-level feature descriptions and usage examples, with no concrete runtime steps, authentication flow, data sources for the user's CV, or limits on what the agent may do. This open-ended guidance grants broad discretion and could lead the agent to request or use sensitive credentials or to perform scraping/automated interactions without explicit constraints.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk during install. This lowers risk from arbitrary remote code installs.
Credentials
No environment variables or credentials are declared, yet the claimed features inherently require account access (LinkedIn, Indeed, etc.) and access to the user's CV. The lack of declared required credentials is inconsistent and leaves unclear whether and how the skill will ask for or handle sensitive secrets.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation. It does not request system-wide persistence or modification of other skills. No elevated persistence privileges are declared.
What to consider before installing
This skill is vague about how it will perform searches and auto-apply actions. Before installing or using it, ask the publisher: (1) how will it authenticate to job sites (OAuth vs. username/password)? (2) where and how will you provide your CV and account credentials, and how will they be stored or deleted? (3) what exact actions will the agent perform when "auto-apply" is invoked, and can you approve each application before it is sent? (4) provide concrete runtime code or an auth flow so you can verify there is no hidden credential exfiltration or web-scraping that violates terms of service. If the publisher cannot show a clear, least-privilege authentication design (scoped tokens, explicit consent dialogs, and no hidden network endpoints), avoid providing account credentials or enabling autonomous application submission.Like a lobster shell, security has layers — review code before you run it.
latestvk9770k078r56eqzzjnv8sw4nnd83c3fx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.