ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Resume Builder

v1.1.0

Professional AI resume builder that creates ATS-optimized resumes with tailored content, achievement highlighting, and industry-specific templates. Includes...

0· 26·0 current·0 all-time
by@banxian87
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md describes a full JS API (ResumeBuilder.createResume, tailorResume, generateCoverLetter) and an install command, but the package bundle contains no executable code or install spec. The skill claims capabilities (PDF/DOCX export, ATS checks) that would normally require code or external services; none are provided. This mismatch means the skill cannot deliver what it advertises as-is.
Instruction Scope
Instructions themselves stay on-topic for a resume builder and do not instruct reading unrelated system files or secrets. However the documentation expects users/agents to provide personal data (names, emails, phone, experience) — expected for this use case, but a privacy risk if sensitive or excessive PII is supplied. The SKILL.md suggests an install command ('clawhub install ai-resume-pro') but gives no details about what that install would fetch.
!
Install Mechanism
There is no install spec despite an 'Installation' section and a package.json manifest with no code entrypoint. Because this is instruction-only with no declared install source, it's unclear where 'clawhub install' would retrieve artifacts or whether any code would be installed. That uncertainty increases risk — you cannot verify what would be downloaded or executed.
Credentials
The skill declares no required environment variables, credentials, or config paths. There are no requests for unrelated credentials or system access in the instructions.
Persistence & Privilege
Flags show normal defaults (not always:true, agent-invocable allowed). The skill does not request persistent system privileges or to modify other skills. Nothing in SKILL.md asks to write system-wide config.
What to consider before installing
This skill looks incomplete rather than outright malicious: it documents a JS API and an install command but includes no code or safe install source and the homepage/source are unknown. Before installing or using it: (1) Do not paste highly sensitive personal data (national IDs, bank details, exact salary history); only provide the resume fields needed. (2) Ask the publisher for the implementation source or a trusted repository (GitHub/GitLab) and an install spec or signed package — verify what 'clawhub install' actually downloads. (3) If you must test it, run installation in an isolated environment (VM/container) and monitor network/file activity. (4) Prefer skills with a verifiable source, clear install instructions, or open-source code you can inspect. If the author cannot supply a reasonable code repository or install manifest, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk973wtcw34ey3p9nn3nvs6339n842y4n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments