Back to skill
Skillv2.1.0
ClawScan security
Recruiting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 9, 2026, 1:40 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's description claims a full recruiting suite, but the packaged files implement only a small subset and many referenced scripts/docs are missing or inconsistent — this mismatch could cause runtime errors or unexpected behavior.
- Guidance
- This package claims a full recruiting toolkit but only ships three small scripts; many commands and reference docs mentioned in SKILL.md are missing. Before installing or using it: 1) Do not assume missing features exist — ask the publisher for the missing scripts (screen_candidate.py, prep_interview.py, draft_email.py, view_pipeline.py, set_reminder.py, generate_report.py) and referenced docs. 2) Verify the exact data storage path (scripts use ~/.openclaw/workspace/memory/recruiting) and ensure you are comfortable storing candidate PII there; sanitize/remove sensitive fields (SSN, DOB) as recommended. 3) Test in a sandbox workspace to observe runtime behavior and confirm there are no network calls. 4) If you need the full described functionality, request a complete release or a clear changelog; the current mismatch could cause the agent to attempt non-existent actions or fail unexpectedly.
Review Dimensions
- Purpose & Capability
- concernName/description describe a full hiring workflow (screening, interview prep, drafting communications, reminders, reports). The repo contains only three operational scripts (create_job.py, add_candidate.py, update_pipeline.py) that cover basic job/candidate/pipeline updates. Several claimed scripts and reference docs (e.g., screen_candidate.py, prep_interview.py, draft_email.py, view_pipeline.py, set_reminder.py, generate_report.py, references/communications.md, references/interview-prep.md, references/fair-hiring.md) are referenced in SKILL.md but are not present. This is disproportionately incomplete relative to the stated purpose.
- Instruction Scope
- concernSKILL.md instructs the agent to run many scripts that are not in the file manifest; that will lead to runtime failures or confused behavior if the agent follows the instructions. SKILL.md promises data is stored in memory/recruiting/, while scripts actually write to ~/.openclaw/workspace/memory/recruiting — a path mismatch. The instructions otherwise limit data storage to local files and explicitly forbid external sharing, and the included scripts do only local file I/O (no networking).
- Install Mechanism
- okNo install spec or external downloads; scripts are provided in the package and run locally. There are no network fetches or package installs declared. This is a lower-risk install profile.
- Credentials
- okThe skill requests no environment variables or credentials, and the scripts do not read secrets or external configs. Data is written under the user's home (~/.openclaw/workspace/memory/recruiting). That local storage choice is reasonable for a recruiting helper, though it should be documented that PII must be handled carefully.
- Persistence & Privilege
- okalways:false and normal invocation properties. The skill does not request persistent platform privileges or modify other skills. Its files write only to a per-user directory and do not change system-wide settings.