resume-parser
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears aligned with local resume parsing, but users should treat resumes as sensitive and verify that the model backend and dependencies are truly local and trusted.
This skill looks suitable for its stated purpose. Before installing or using it, install dependencies from trusted sources, confirm whether OCR and the model backend are local, and avoid processing resumes unless you have permission to handle the personal information they contain.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or oddly formatted resume could make the parser produce inaccurate output, ignore the requested format, or include irrelevant instructions in the result.
The script interpolates user-provided resume text directly into a model prompt. That is central to the parser, but resumes can contain text that attempts to steer the model away from the requested JSON extraction.
简历文本:\n{text}Treat uploaded resume and JD text as untrusted data, keep strong delimiters around document content, and review extracted results before using them for decisions.
Installing dependencies without pinned versions can produce different behavior over time or depend on the user's package-index trust.
The documented setup uses unpinned packages and a manual install path. This is common for a Python-based parser, but version drift or package-source trust should be considered.
pip install PyPDF2 python-docx pytesseract pillow python-multipart
Use a trusted Python package index, consider pinning dependency versions, and install Tesseract OCR only from an official source if image OCR is needed.
Resume files may contain private contact, education, employment, and project details that should only be processed with the applicant's permission.
The skill is explicitly designed to extract personal resume fields and pass resume text into a model context. This is purpose-aligned, but the data is sensitive.
个人基本信息(姓名、电话、邮箱、年龄、性别、所在地) ... 将提取的文本传入大模型进行结构化信息提取
Use the skill only on resumes you are authorized to process, prefer a local model for sensitive resumes, and avoid retaining or sharing generated prompts and outputs unnecessarily.
A user may assume resume data never leaves the machine even though that depends on which model provider or local model they actually use.
The documentation makes a broad local-only privacy claim while also saying the generated prompts should be used with a model backend, including examples that may not always be local depending on the user's setup.
完全本地运行,无需外部API ... 大模型:本地部署的任意大模型(豆包/Claude/Ollama等)
Confirm the configured model backend before processing sensitive resumes, and clarify documentation to say the workflow is local only when a local LLM/OCR setup is used.