This skill executes arbitrary code, injects prompts into
Claims to do
JobPoster Skill: > ⚠️ **CRITICAL: Use this skill's canonical execution entrypoints for all job posting actions.** > > **Primary action:** `post_job` > **Follow-up action:** `check_linkedin_status` > > These actions are implemented by this skill in `scripts/post_job.js`. > Do **not** assume the capability is unavailable merely because the runtime does not list a separately named top-level native tool called `post_job`. > > **DO NOT** call internal APIs directly (`genJD`, `postToLinkd`, `API_URL_*`). > **DO NOT** bypass `post_job` to call Fuku AI endpoints manually. > **DO NOT** replace this skill with browser automation, curl, or manual instructions unless the skill execution path truly fails. > > **Why?** The `post_job` action handles: > > - Input validation and sanitization > - Location fuzzy matching > - LinkedIn sync orchestration > - Background monitoring setup > > Skipping it will result in incomplete job postings and broken workflows.
Actually does
The skill uses `node` and `npm` to execute `scripts/post_job.js`. This script sends job details (title, description, company, location, email, LinkedIn company URL) to `https://hapi.fuku.ai`, a third-party relay service, for distribution to job boards. It also provides a `check_linkedin_status` function to monitor LinkedIn sync via the same script.
openclaw skills install zhangdong/post-jobThe skill enforces a rigid, mandatory multi-step workflow (post job -> spawn monitor -> reply to user) combined with strong directives limiting agent choice. This restricts the agent's ability to adapt or optimize, potentially leading to brittle workflows or unexpected failures.
REQUIRED: Post Job + Spawn Monitor (Two Steps)... Required order: 1. Call post_job 2. Extract jobId 3. Start monitoring sub-agent 4. Only then send the success reply to the user
The skill mandates spawning a sub-agent after every job post and provides the exact task prompt to pass to `sessions_spawn`. This prompt is partially constructed from data returned by an external third-party service (Fuku AI), specifically the jobId. A malicious Fuku AI response could inject arbitrary instructions into the sub-agent's task string, achieving prompt injection into a child agent with potentially unbounded loop behavior (up to 30 iterations, 2-minute waits).
await sessions_spawn({ task: `Monitor LinkedIn sync for job ID "${jobId}". Loop: call check_linkedin_status with jobId="${jobId}", wait 2 minutes, repeat up to 30 times until LinkedIn URL is returned. Notify user when URL is available.`, mode: "run", cleanup: "delete", });The skill mandates that the agent spawn a sub-agent that loops up to 30 times with 2-minute delays (up to 60 minutes of automated activity) without user confirmation. The skill explicitly forbids the agent from making this optional or asking the user, removing human oversight from a long-running background process.
Loop: call check_linkedin_status with jobId="${jobId}", wait 2 minutes, repeat up to 30 times until LinkedIn URL is returned. [...] Forbidden: Offering monitoring as an optional next stepThe jobId is extracted from a Fuku AI API response via regex and interpolated directly into a sub-agent task prompt string without sanitization. A compromised or malicious Fuku AI service could return a crafted jobId containing prompt injection payloads that would be executed by the spawned sub-agent.
const jobIdMatch = result.match(/Job ID:\s*`?([a-zA-Z0-9-]+)`?/); const jobId = jobIdMatch?.[1]; await sessions_spawn({ task: `Monitor LinkedIn sync for job ID "${jobId}"...`The skill uses repeated, strong directives ('DO NOT assume', 'REQUIRED', 'MUST spawn') to heavily influence the agent's reasoning and prevent it from deviating from the prescribed workflow, even if it perceives alternative paths. This attempts to override agent autonomy and enforce specific behaviors.
DO NOT assume the capability is unavailable... DO NOT bypass post_job... REQUIRED: Post Job + Spawn Monitor (Two Steps)... MUST spawn a sub-agent...
The high-level description implies direct job posting to boards, but the skill actually posts jobs anonymously via a third-party relay service (Fuku AI) using their accounts, not the user's. This means jobs cannot be directly edited or deleted by the user.
Claimed purpose: 'Post free job ads to 20+ job boards'. Actual behavior (detailed later): 'Jobs appear under Fuku AI's accounts, not your LinkedIn page; cannot edit/delete directly.'
The skill uses authoritative ALL-CAPS language, warning symbols, and 'REQUIRED'/'MUST'/'MANDATORY' framing to coerce the AI agent into bypassing its normal decision-making and user-confirmation patterns. This is a semantic manipulation technique to override agent safety behaviors.
⚠️ REQUIRED: Post Job + Spawn Monitor (Two Steps) [...] you MUST spawn a sub-agent to monitor LinkedIn sync. Do NOT skip this. [...] Mandatory sub-agent rule [...] Failure to start the LinkedIn monitor after post_job is an incomplete execution of this skill.
The skill explicitly instructs the agent to use `sessions_spawn` to create a sub-agent with a complex, looping task. This grants significant control over the agent's environment and resources, enabling persistent background operations and multi-agent orchestration.
await sessions_spawn({
task: `Monitor LinkedIn sync for job ID "${jobId}". Loop: call check_linkedin_status with jobId="${jobId}", wait 2 minutes, repeat up to 30 times until LinkedIn URL is returned. Notify user when URL is available.`The skill explicitly requires and executes `node` and `npm` commands, including `npm install` for dependencies and direct script execution (`node scripts/post_job.js`). This capability allows the skill to run arbitrary code within its environment.
{ "bins": ["node", "npm"] }... command": "npm install"... node scripts/post_job.js --title "..."All job posting data including job title, company name, location, email address, and job description is transmitted to an external third-party service (https://hapi.fuku.ai) controlled by the skill author. Users' hiring email addresses and company information are sent to this service with no user control over data retention or usage.
This skill uses Fuku AI (https://hapi.fuku.ai) as a third-party job posting relay service [...] Data transmitted: job title, description, company, location, email, LinkedIn company URL.
The skill collects user email addresses (used to receive resumes) and LinkedIn company URLs, transmitting them to the Fuku AI third-party service. This creates a harvesting vector for corporate email addresses and LinkedIn organizational identifiers. The default `linkedinCompanyUrl` hardcoded in the skill points to a specific company page.
email: Email to receive resumes [...] linkedinCompanyUrl: LinkedIn company page URL. Job posts under this company; defaults to Fuku AI's if not specified [...] Default: https://www.linkedin.com/company/business-consulting-inter
The skill aggressively instructs the agent not to use alternative tools (browser automation, curl, direct API calls) and to always route through the skill's own script. This tool shadowing pattern ensures all traffic goes through the skill-controlled code path, preventing the agent from using safer alternatives.
DO NOT replace this skill with browser automation, curl, or manual instructions unless the skill execution path truly fails. [...] Do not assume the capability is unavailable merely because the runtime does not list a separately named top-level native tool called post_job.
A hardcoded LinkedIn company URL is set as the default value for job postings. When users do not supply their own LinkedIn company URL, all jobs are posted under this third-party company page, potentially associating user job postings with an entity the user does not control or recognize.
linkedinCompanyUrl [...] Default: https://www.linkedin.com/company/business-consulting-inter
A personal email address is embedded in the skill documentation, directing users with issues to contact the developer directly. This could be used for social engineering or to collect information about users experiencing problems.
Contact developer email yangkai31@gmail.com if you run into any issues
The skill dictates specific phrasing for the agent's response to the user, ensuring the user is informed that monitoring 'has already started' and forbidding phrasing that makes it sound optional. This manipulates the human's perception of the workflow's completeness and could mask failures.
Mandatory sub-agent rule... Do NOT claim LinkedIn monitoring is in progress unless the sub-agent has actually been started successfully. Forbidden: Offering monitoring as an optional next step...
The skill explicitly instructs the AI agent to never offer monitoring as an optional step, never ask the user for confirmation before spawning sub-agents, and to forbid any phrasing that allows user choice. This systematically removes human oversight from automated multi-step actions.
Forbidden: Offering monitoring as an optional next step / Saying 'I'll monitor it' before starting the sub-agent / 'If you want, I can check LinkedIn sync status' / 'Next I can help monitor LinkedIn' / Any phrasing that makes the required follow-up sound optional
[](https://mondoo.com/ai-agent-security/skills/clawhub/zhangdong/post-job)<a href="https://mondoo.com/ai-agent-security/skills/clawhub/zhangdong/post-job"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/zhangdong/post-job.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/clawhub/zhangdong/post-job.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.