by 安全扫描
OpenClaw
安全
medium confidenceThe skill's requirements, scripts, and runtime instructions are consistent with an automated form-filling job-application tool, with no obvious mismatches or hidden network endpoints, though there are a few small implementation notes to verify before installing.
评估建议
This skill appears to do what it says: browser-driven form-filling using the openclaw CLI and local scripts. Before installing, (1) review the included scripts (check_required_fields.js, fill_template.sh, match_variant_options.sh) yourself to confirm they match your expectations; (2) verify where and how .docx resume parsing will run (SKILL.md mentions python-docx but there is no python script bundled); (3) ensure RESUME_DIR and TRACKER_PATH environment variables point only to directories/files ...详细分析 ▾
✓ 用途与能力
Requested binaries (openclaw, python3), python-docx, and environment variables (name, email, phone, LinkedIn, RESUME_DIR, TRACKER_PATH) all align with the stated purpose of filling forms and uploading resumes. The included scripts (DOM query, shell fill template, fuzzy-match helpers) match browser automation/form-filling functionality.
ℹ 指令范围
SKILL.md and scripts largely stay within form-filling scope: the JS is a read-only DOM query and shell templates run openclaw CLI commands. Two notes: (1) SKILL.md references reading .docx resumes via python-docx, but no python extraction script is present in the files — confirm how/where resume parsing is performed at runtime. (2) The skill writes ephemeral scripts to /tmp and reads files from RESUME_DIR and TRACKER_PATH; those filesystem accesses are expected but worth auditing (ensure paths point only to intended files).
✓ 安装机制
No install spec (instruction-only) and only three small local scripts are bundled. This is low-risk from installation perspective — no remote downloads or archive extraction.
ℹ 凭证需求
Requested environment variables are appropriate for form-filling (personal info, resume directory, tracker path). They do grant access to local files/paths (RESUME_DIR, TRACKER_PATH) — this is expected but gives the skill access to those files. There are no unrelated secret keys or cloud credentials requested.
✓ 持久化与权限
The skill is not marked always:true and does not request persistent system modifications. The SKILL.md explicitly states it does not leave background processes running. Autonomous invocation is allowed (platform default) but not combined with other red flags.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.3.22026/4/1
- Updated documentation to clarify that all personal information is sourced from environment variables rather than config files. - Improved setup instructions: now emphasizes setting environment variables in the shell, removing references to sourcing a config file. - Bumped version to 1.3.3. - No code changes to scripts/fill_template.sh; changes are documentation-only.
● stale
安装命令
点击复制官方npx clawhub@latest install jobautopilot-submitter
镜像加速npx clawhub@latest install jobautopilot-submitter --registry https://cn.longxiaskill.com