Security · Honesty page

Why JobyBots is the safest job-search tool you'll ever run.

Most "AI job tools" are SaaS apps. You upload your résumé, your Gmail credentials, your LinkedIn cookie — and trust a company in another country to keep them safe forever. JobyBots flips that model. Everything runs on your laptop. We don't have a database. We don't have a server-side queue. We literally cannot leak data we don't have.

Zero servers · Zero telemetry · 100% auditable bash + Python

Why "`.bat`" and "`.command`" feel scary — and why JobyBots' aren't

.bat (Windows) and .command (macOS) files are just plain-text scripts. The reason they have a bad reputation is that any script can do anything the user could do — including malicious things. The same is true of a Word macro, a PowerShell script, or a Python file.

The right question isn't "is this file extension safe?" (no extension is). The right question is "can I read what this script does before I run it?"

You can read every JobyBots script in 90 seconds. Try it now.

Right-click any .bat or .command file in your JobyBots folder.
Choose Edit (Windows) or Open With → TextEdit (Mac).
Read the file top-to-bottom. Every JobyBots script is between 30 and 80 lines, with section headers and English comments.

What every JobyBots script does, in one line each

All six together are about 250 lines of bash + batch. No obfuscation, no compiled binaries, no minified launchers.

Front-door menu

JOBYBOT.bat / mac/JobyBot.command

Shows you a numbered menu and calls one of the other scripts.

First-run installer

SETUP_FOR_FRIENDS.bat / mac/Setup.command

Detects Python, creates a .venv/ folder, runs `pip install -r python-deps.txt`, opens .env in your text editor, runs a health check.

One full cycle

RUN_BOT_NOW.bat / mac/RunBotNow.command

Calls `python jobybot.py run` once. Window stays open so you can watch.

24/7 scheduling

START_AUTOSCHEDULE.bat / mac/StartAutoSchedule.command

Windows: registers a Task Scheduler task. Mac: writes a launchd .plist into ~/Library/LaunchAgents.

Open local HTML

DASHBOARD.bat / mac/Dashboard.command

Opens data/dashboard.html in your default browser. That's it.

Self-audit

SECURITY_CHECK.bat

Verifies .env permissions, scans for accidentally committed secrets, prints a hash of every Python file. You can run this any time.

What JobyBots does on your machine

Five operations. That's the whole list.

→
Reads files YOU put there
Reads your résumé PDF and the .env file you saved into the JobyBots folder. Never touches anything else on your disk.
→
Talks to public job boards
HTTPS GET requests to LinkedIn, Bayt, Naukrigulf, GulfTalent, Indeed, RemoteOK and ~40 company career pages. Same traffic your browser makes when you visit them.
→
Sends mail through YOUR Gmail
Authenticated SMTP connection to smtp.gmail.com:587 using the App Password you generated in your Google account. Replies land in your own inbox.
→
Calls Google Gemini
HTTPS calls to generativelanguage.googleapis.com using the free API key you generated in Google AI Studio.
→
Writes back to ./data/
Stores the SQLite tracker, dashboard.html, and run logs in a data/ subfolder inside JobyBots. Nothing escapes that folder.

And — explicitly — what it does not do

Ask for admin / sudo / UAC at any point
Read or modify files outside the JobyBots folder
Install drivers, services, browser extensions, or registry keys
Send any data to JobyBots-owned servers (we don't run any)
Use telemetry, analytics, error reporting, or crash dumps
Auto-update itself without your knowledge
Persist beyond a folder you can drag to Trash

Red flags to look for in any job-hunting tool

These are the things JobyBots was specifically built to not do. Use them as a checklist when evaluating any other tool too.

Asks for your raw Gmail password (not an App Password)
Wants admin / sudo / UAC privileges to install
Has obfuscated or compiled installers (no readable source)
Sends your résumé to a server you never agreed to
Mines your contacts or imports your LinkedIn connections
Auto-updates without your permission
Phones home with telemetry on every action

How the /setup wizard stays local

The wizard is a single-page React form. Every value you type lives in the browser's useState hook. When you click Download .env, the page assembles the file using the Blob API and triggers a normal browser download. No fetch(), no XMLHttpRequest, no analytics on the values you typed.

You can verify this yourself in 30 seconds:

Open /setup in Chrome or Edge.
Press F12 → Network tab.
Click the 🚫 Clear button to start fresh.
Fill in the form and click Download .env.
You'll see zero new requests — only the original page load. Nothing leaves your browser.

What JobyBots does store, server-side

Honest answer: just enough to deliver the product. The full list is short.

Stripe / Razorpay payment record — name, billing email, transaction ID, amount. Required for tax + refund compliance. Held by the payment processor; we have read access.
License-key email — the email address Stripe sends us when you pay, so we can mail you the installer ZIP. Stored in a single Postgres table on Vercel.
Standard web logs — Vercel's edge logs (IP, page visited, user-agent) for 30 days. Same as any website.

That's it. We don't store: your résumé, Gmail address, App Password, Gemini key, LinkedIn cookie, search history, applied-jobs database, recruiter emails, replies, or any text you type into the wizard.

Audit JobyBots yourself in 5 minutes

Open every .bat / .command in Notepad / TextEdit. Read top to bottom. Total: about 250 lines.
Open jobybot.py and core/*.py in any code editor. Search for requests.post and read every URL the bot calls. You'll find LinkedIn, Bayt, Naukrigulf, GulfTalent, Indeed, RemoteOK, smtp.gmail.com, generativelanguage.googleapis.com, api.groq.com, and a list of ~40 company career-page domains. Nothing else.
Run SECURITY_CHECK.bat after install. It (a) verifies .env permissions, (b) scans the project for any accidentally committed secrets, (c) prints SHA-256 of every Python file. Re-run any time to confirm nothing has changed without your knowledge.
Inspect outgoing traffic with Wireshark / Little Snitch / Lulu. You will see HTTPS connections only to job boards, Gmail SMTP, and Gemini. No traffic to anything ending in .jobybots.com. Promise.
Drag the JobyBots folder to Trash to uninstall. On Windows: also run schtasks /Delete /TN JobyBotScheduler /F. On Mac: also double-click StopBot.command to remove the launchd agent. Done. Nothing left on your system.

Still nervous?

Run JobyBots in a virtual machine first.

Install VirtualBox or UTM, spin up a clean Windows 11 / macOS VM, run JobyBots inside it. If everything looks fine after a week, promote it to your real machine. We support this — it's how the founder ran the first version himself.

Open the local-first wizard →See the install walkthrough Email the founder a security question