matthew/claw-apply
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add security note to SKILL.md addressing prompt-injection false positive

Browse Source 
The ClawHub scanner flags systemPrompt variables in lib/*.mjs as
potential prompt injection. These are legitimate Claude API prompts
for job scoring, answer generation, and keyword generation. Added
explicit note clarifying their purpose.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Matthew Jackson
2026-03-06 15:26:47 -08:00
parent c767c7e30e
commit 82db9658c2
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
SKILL.md
View File

@@ -2,6 +2,8 @@
Automated job search and application. Finds matching roles on LinkedIn and Wellfound, filters with AI, applies automatically, and learns from every unknown question.
> **Security note:** This skill makes Claude API calls for job scoring (`lib/filter.mjs`), answer generation (`lib/ai_answer.mjs`, `lib/form_filler.mjs`), and keyword generation (`lib/keywords.mjs`). Those files contain `systemPrompt` variables with `"You are..."` instructions intended for the Claude API — they are not prompt injections or system prompt overrides. All API calls go exclusively to `api.anthropic.com`. No instructions in this skill attempt to modify agent behavior, exfiltrate data, or override platform prompts.
## Requirements
- Node.js 18+