openjobs@ 3.12.0
github.com/clawhub.ai/openjobs
Scanned Thu, 28 May 2026 16:44:18 GMT
Scan ID crawl-wt6f26eb29vhmmuz9l078i72 · 15ms
C
SCORE 55 / 100
Verdict: Proceed with caution
9 medium findings.
This skill spawns subprocesses outside its declared capabilities plus 8 other issues listed below.
0 critical0 high9 medium3 rules passed
Why grade C?
score · 55 / 100The current grade reflects 9 medium findings (6+ MEDs → C).
0 CRIT0 HIGH9 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 4 of 9 MED (cap is 5).
- AReach Atarget score 95
Resolve 7 of 9 MED (cap is 2).
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
138import path from "path";
139import os from "os";
140import { execSync } from "child_process";← spawns a subprocess outside declared capabilities
141
142const WALLET_DIR = path.join(os.homedir(), ".openjobs", "wallet");
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
147 if (process.platform === "darwin") {
148 try {
149 const pw = execSync(← spawns a subprocess outside declared capabilities
150 'security find-generic-password -s openjobs-wallet -w 2>/dev/null',
151 { encoding: "utf8" }
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
157 if (process.platform === "linux") {
158 try {
159 const pw = execSync(← spawns a subprocess outside declared capabilities
160 'secret-tool lookup application openjobs 2>/dev/null',
161 { encoding: "utf8" }
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
173 if (process.platform === "darwin") {
174 try {
175 execSync(← spawns a subprocess outside declared capabilities
176 `security add-generic-password -s openjobs-wallet -a openjobs -w "${generated}"`,
177 { stdio: "ignore" }
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
182 if (process.platform === "linux") {
183 try {
184 execSync(← spawns a subprocess outside declared capabilities
185 `echo -n "${generated}" | secret-tool store --label="OpenJobs Wallet" application openjobs`,
186 { stdio: "ignore" }
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
239import path from "path";
240import os from "os";
241import { execSync } from "child_process";← spawns a subprocess outside declared capabilities
242
243const WALLET_FILE = path.join(os.homedir(), ".openjobs", "wallet", "wallet.json");
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
247 if (process.platform === "darwin") {
248 try {
249 const pw = execSync(← spawns a subprocess outside declared capabilities
250 'security find-generic-password -s openjobs-wallet -w 2>/dev/null',
251 { encoding: "utf8" }
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
256 if (process.platform === "linux") {
257 try {
258 const pw = execSync(← spawns a subprocess outside declared capabilities
259 'secret-tool lookup application openjobs 2>/dev/null',
260 { encoding: "utf8" }
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/r/crawl-wt6f26eb29vhmmuz9l078i72