Security Audit

Job Search MCP

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

Job Search MCP received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Execution of code from unverified external GitHub repository, Use of loosely pinned Python dependencies.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Execution of code from unverified external GitHub repository The skill instructs the user to clone and execute code from an external GitHub repository (https://github.com/chinpeerapat/jobspy-mcp-server.git). This introduces a significant supply chain risk as the integrity and security of this third-party repository are not guaranteed. Malicious code introduced into this repository could compromise the user's system when they install and run it. Provide a verified, immutable source for the MCP server code (e.g., a specific release tag or commit hash, or a package published to a trusted registry). Include a hash or signature verification step for the cloned repository. Alternatively, host the necessary server code directly within the skill package if feasible, or provide a more controlled installation method.	LLM	SKILL.md:40
MEDIUM	Use of loosely pinned Python dependencies The skill's installation instructions specify Python dependencies using minimum version pins (e.g., `mcp>=1.1.0`, `python-jobspy>=1.1.82`). While this ensures a minimum version, it allows for automatic upgrades to newer versions. If a future version of any of these dependencies introduces a vulnerability or breaking change, it could affect the security or stability of the skill without explicit review. Pin all dependencies to exact versions (e.g., `mcp==1.1.0`) to ensure deterministic builds and prevent unexpected issues from upstream changes. Regularly review and update these pinned versions.	LLM	SKILL.md:34

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/aecfb88eeea161cb.svg)](https://skillshield.io/report/aecfb88eeea161cb)