v1.0.0

Job Search Agent

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:59 AM.

Analysis

This skill is not clearly malicious, but it advertises bulk auto-applying to jobs and handling CV/application data without clear review, account, or data-retention boundaries.

GuidanceInstall only if you are comfortable with an assistant helping prepare job applications, and do not let it submit anything automatically unless you can review each employer, role, resume, cover letter, and account action first.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

- **Auto-apply**: Apply to multiple matching jobs with one command

Bulk job application submission is a high-impact external action; the artifact does not specify preview, confirmation, caps, rollback, or approval requirements before submissions.

User impactThe agent could submit applications to employers in bulk, potentially sending inaccurate or unwanted materials and affecting the user's job prospects.

RecommendationRequire explicit user approval before every final submission or clearly bounded batch, show the employer, role, resume, cover letter, and submitted fields, and set a safe maximum number of applications.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

- LinkedIn Jobs
- Indeed
- Glassdoor

The skill targets account-based job platforms while also advertising auto-apply behavior, but the artifacts do not define what account identity, permissions, or credential boundaries would be used.

User impactThe agent may need to act through the user's professional accounts or profile, creating risk of unintended submissions or account activity.

RecommendationDocument the authentication model, limit platform/account access, avoid using stored sessions without explicit user direction, and require confirmation before any account action.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

- **Smart CV matching**: Automatically match job requirements against your skills and experience
- **Application tracking**: Keep track of all your applications in one place

CV matching and application tracking are aligned with the skill's purpose, but they involve personal career data and the artifact does not explain storage, retention, or reuse boundaries.

User impactThe user's CV details, skills, employment history, and application history may be used as ongoing context.

RecommendationClarify where profile and tracking data is stored, how long it is retained, and whether it is reused across sessions; let users review and delete it.