Is lior539/remote-jobs-finder safe?

https://github.com/openclaw/skills/tree/main/skills/lior539/remote-jobs-finder

85
SAFE

The remote-jobs-finder skill is a functionally legitimate remote job search assistant that connects an OpenClaw WhatsApp agent to the Remote Rocketship job board API. No prompt injection payloads, hidden instructions, or credential theft mechanisms were found in SKILL.md or the server extension code. The primary risk is privacy-related: the skill systematically collects and transmits user employment profile data (job titles, location, salary preferences, seniority) to a third-party service (remoterocketship.com) on every invocation, with an optional persistent polling mode. Canary file reads observed during the install window are attributable to the Oathe monitoring framework's baseline and post-install verification passes, not the skill itself.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 83/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (7)

MEDIUM Directive 'MANDATORY'/'MUST' language suppresses agent's ability to decline tool calls -18

SKILL.md uses strong directive phrasing including 'MANDATORY', 'you MUST call', 'Do NOT claim you can't fetch listings (you can)', and 'Do NOT ask the user to run any CLI' to constrain agent behavior. The explicit prohibition on the agent refusing to fetch listings bypasses the agent's normal safety gate for tool invocations. While these instructions serve legitimate UX goals, they reduce the surface area for the agent to exercise independent judgment and could be problematic if the underlying tool were compromised.

LOW User job preferences and location data transmitted to third-party API on every search -12

Every invocation of rr_jobs_search sends the user's job titles, geographic location, seniority level, employment type, salary expectations, must-haves, and deal-breakers to https://www.remoterocketship.com/api/openclaw/jobs. The skill also instructs the agent to maintain a persistent user profile in memory and resend it with each query. While this is functionally necessary for the skill's stated purpose, it means a meaningful employment profile for the user is continuously transmitted to an external party.

LOW filters parameter accepts arbitrary additional properties -8

The rr_jobs_search tool schema sets additionalProperties: true on the filters object, meaning the agent (or a prompt injection attack targeting the agent) could include arbitrary key-value pairs beyond the documented filter fields. If an adversarial prompt caused the agent to embed sensitive conversation context (e.g., credentials, personal information) as filter parameters, that data would be silently forwarded to the Remote Rocketship API endpoint.

LOW Sensitive credential files read during install window; attribution ambiguous -17

inotify and auditd monitoring recorded READ-only (CLOSE_NOWRITE) accesses to /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application default credentials at two distinct times: 12:25:31 (6 seconds before the git clone initiated — clearly pre-install) and 12:25:49 (after install completed). The pre-install timing for the first batch strongly attributes them to the Oathe monitoring framework establishing a canary baseline. The post-install batch is consistent with a post-install verification pass. The skill itself contains no code that executes at install time beyond a simple file copy. All canary files were confirmed intact with no write events observed.

INFO Shell installer copies TypeScript extension to OpenClaw extensions directory -7

install-server.sh uses cp to place index.ts and openclaw.plugin.json into ~/.openclaw/extensions/. The script is transparent and minimal (10 lines, set -euo pipefail, no downloads, no package installs). No npm scripts, preinstall/postinstall hooks, git hooks, gitmodules, gitattributes smudge filters, or symlinks were found in the repository.

INFO Clean sparse GitHub clone; no unexpected network connections or process spawning -8

The installation process performed a standard depth-1 sparse checkout from github.com/openclaw/skills. Network traffic during clone was limited to github.com (140.82.121.4:443). No connections to unexpected IPs were observed during the clone phase. The connection diff confirms no new listening services were started post-install. Process execution log shows only expected git, cp, and rm operations.

INFO Persistent job profile in agent memory and optional polling create ongoing data transmission -22

The skill instructs the agent to maintain a persistent user profile (targetTitles, locationFilters, seniorityFilters, mustHaves, dealBreakers, pollingCadence) in memory and resend it with each query. The optional hourly/daily polling feature would cause the agent to repeatedly transmit this profile to remoterocketship.com on a schedule without further user interaction, creating a persistent data-sharing relationship with a third party.