ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Resume JD Match — JD定制简历

v2.0.0

AI-powered JD-matched resume generator with native Chinese and English support. Collects structured user profile (work history, projects, skills, education),...

0· 65·0 current·0 all-time
by@26048608982lp-ai·fork of @26048608982lp-ai/jd-resume-tailor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the behavior: collecting a structured profile, parsing JDs, generating HTML/PDF resumes, and saving files under workspace/resumes/. No unrelated credentials, binaries, or config paths are requested.
!
Instruction Scope
Instructions are mostly scoped to profile collection, JD parsing, HTML generation, and local PDF export. However, the SKILL.md says "PDF export uses local headless browser... No network requests," yet the skill also accepts a JD URL as input (which implies fetching remote content) — this is a contradiction that should be clarified. Also the export is performed by scripts/export-pdf.ps1, but that script's contents were not included for review; the behavior of that script (network calls, temp files, external executables invoked) is unknown.
Install Mechanism
Instruction-only skill with no install spec and no code files beyond templates/instructions. Low install risk because nothing is written to disk by an installer. The only runtime writes are the files the skill itself asks to save in workspace/ (profile and resumes).
Credentials
No environment variables, credentials, or config paths are requested. The skill's data needs (personal profile) are proportional to the stated purpose.
Persistence & Privilege
Does not request elevated privileges and is not always-enabled. It persists user-sensitive data locally (resume-profile.md and generated files in resumes/). This is expected but important for privacy — the agent will store personally identifiable information in the workspace by design.
What to consider before installing
This skill appears to be what it claims (a resume/JD matching tool) but there are two things to check before use: (1) Ask or inspect the contents of scripts/export-pdf.ps1 (not provided) to ensure the export runs locally and does not call external endpoints or execute unexpected commands. (2) Confirm how URL inputs are handled — if the agent will fetch remote job-page URLs, understand that network requests will occur despite the SKILL.md's "No network requests" statement. Also: be aware the skill stores sensitive personal data in workspace/resume-profile.md and in resumes/; if you install, keep that workspace private or review/remove the profile file after use. If you can't inspect the export script or get clarity on URL fetching, treat this skill cautiously or run it in a restricted/sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

atsvk97b5x2t94gz1tzxdzx2enx12s83rn4bchinesevk97b5x2t94gz1tzxdzx2enx12s83rn4bjd-matchvk97b5x2t94gz1tzxdzx2enx12s83rn4bjob-searchvk97b5x2t94gz1tzxdzx2enx12s83rn4blatestvk97b5x2t94gz1tzxdzx2enx12s83rn4bpdfvk97b5x2t94gz1tzxdzx2enx12s83rn4bresumevk97b5x2t94gz1tzxdzx2enx12s83rn4b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments