ClawHub

51mee Resume Match

v1.2.1

人岗匹配。触发场景:用户要求匹配简历和职位;用户问这个候选人适合这个职位吗;用户要筛选最匹配的候选人。

0· 205·0 current·0 all-time
by51mee@51mee-com
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (人岗匹配) align with the SKILL.md: it documents calling an external match API with a resume file and job description to produce scores and a report. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
Instructions are narrowly scoped to POSTing a resume file and jd_text to https://openapi.51mee.com/api/v1/parse/match and to format the returned JSON into a report. However, the skill explicitly instructs uploading resumes (sensitive personal data) to an external endpoint and gives no guidance about consent, redaction, or privacy. It also omits any authentication steps (API key/token) which is unusual for an external API.
Install Mechanism
Instruction-only skill with no install spec or code to write to disk. Lowest install risk; nothing will be downloaded or installed by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is coherent with the manifest. That said, many SaaS APIs require an API key — the absence of any declared auth is noteworthy. If the real API actually requires credentials, the skill's manifest is incomplete and could cause silent failures or unexpected unauthenticated requests.
Persistence & Privilege
always is false and there are no claims of modifying other skills or system configs. The skill does not request persistent platform privileges.
Assessment
This skill appears to do what it says (call a matching API with a resume and job description) but before installing consider: (1) Privacy: resumes contain personal data — check whether you have candidate consent and whether sending resumes to https://openapi.51mee.com is acceptable. (2) Authentication: the documentation example shows no API key; verify whether the real API requires credentials and where to store them securely. (3) Vendor vetting: there is no homepage or source listed — try to confirm the service's legitimacy and data retention/privacy policies. (4) Testing: try the skill only on non-sensitive sample resumes first. If you cannot verify the endpoint, avoid uploading real candidate data or require that matching be done locally or via a vetted provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cwtm0ngkfmzn6v7bxg1qx2n831c7p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments