Skillv1.0.0

ClawScan security

JD + 简历 → 面试题预测助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 9:55 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code mostly matches the stated purpose (generate interview questions from JD + resume) but it calls an external LLM API and requires an API key that the skill metadata/SKILL.md does not declare, and there are minor instruction/path inconsistencies—these mismatches should be clarified before installation.
Guidance: This skill appears to do what it claims (parse JD/resume and call an LLM to produce interview questions), but before installing consider: 1) The code sends your JD and resume to an external LLM endpoint (default https://api.deepseek.com). If you provide an API key, your personal data will be transmitted to that provider—verify their privacy policy and trustworthiness. 2) The skill's metadata does not declare the required OPENAI_API_KEY/DEEPSEEK_API_KEY env var; SKILL.md also omits the need for an API key—ask the author to document required credentials and the exact endpoint. 3) SKILL.md references a scripts/ path that doesn't match the included files; expect possible runtime path errors. 4) Run it in an isolated environment and avoid using a high-privilege API key (use a scoped/test key) until you confirm behavior. If you want, I can draft a request you can send to the author asking them to declare required env vars, confirm the API provider, and fix the path/instruction mismatches.

Review Dimensions

Purpose & Capability: noteThe name/description align with the included Python scripts: parse uploadable files and call an LLM to generate interview questions and a markdown report. Requiring PDF/DOCX parsers and an LLM call is reasonable for the stated functionality.
Instruction Scope: concernSKILL.md shows exec commands and mentions pdfplumber/python-docx, but it does NOT mention the requirement to supply an LLM API key. The code sends JD and resume text to an external LLM endpoint (API_BASE + '/chat/completions') which will transmit potentially sensitive resume data off-host. Also SKILL.md refers to 'SKILL_DIR/scripts/parse_file.py' while the repository places parse_file.py at skill root—this path mismatch may cause runtime errors or confusion.
Install Mechanism: okThere is no install spec or remote download; the skill is instruction + local Python scripts. No high-risk installers or external archives are fetched by the skill itself.
Credentials: concerngenerate_questions.py expects an API key via OPENAI_API_KEY or DEEPSEEK_API_KEY and a configurable API_BASE/LLM_MODEL. The skill registry metadata listed no required env vars/credentials. Requesting an LLM API key is proportionate to the functionality, but the omission from manifest/instructions is a material mismatch. The default API_BASE is set to https://api.deepseek.com—users should verify this provider and where their data will be sent.
Persistence & Privilege: okThe skill does not request permanent/system-wide privileges, does not set always:true, and does not modify other skills' configurations. It runs as invoked and uses subprocesses to call local scripts.