job-posting-intent

SUSPICIOUS: The skill’s purpose and capabilities broadly align, but it sends search activity and lead data through third-party services, including a non-official Apify marketplace actor and an intermediary Rube/Composio path for Google Sheets. This is not fundamentally incompatible with the stated lead-gen use case, but the preconfigured/default RUBE token note and indirect data flow make the trust model weaker than a direct official API integration.

The code is not simply benign data processing. It builds and transmits a large remote-executable payload to a remote workbench, effectively enabling remote code execution on an external service. Coupled with a hardcoded JWT and dependence on external tooling (googlesheets via the remote workbench), this represents a high opportunity for misuse, data exposure, or control by an attacker if the remote service is compromised or abused. The immediate risk is remote code execution and data leakage via the remote workbench and Google Sheets API, amplified by hardcoded credentials.