tech recruiter pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This recruiting skill mostly matches its stated purpose, but it includes broad candidate profiling and instructions to use a proxy when blocked by CAPTCHA, so it should be reviewed carefully before use.
Install only if you are comfortable with a recruiting workflow that gathers candidate profile/contact data across public platforms. Do not let it bypass CAPTCHAs or anti-bot protections; prefer official APIs and explicit user approval. Use limited credentials, review candidate records before saving/exporting, and establish privacy/retention rules before using it with real candidates.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could violate platform rules, trigger blocks, or create legal/compliance risk for the user while scraping candidate data.
The skill instructs the agent to respond to a CAPTCHA by using a proxy IP, which is a concrete anti-bot-evasion instruction rather than a normal, bounded recruiting workflow.
# 错误处理 / Error Handling # - 遇到验证码:暂停 5 分钟,使用代理 IP
Do not bypass CAPTCHAs or anti-bot controls. Use official APIs, approved exports, rate limits, and explicit user approval for any scraping.
If over-scoped tokens are used, the recruiting assistant may have broader access to social or developer accounts than needed.
The documentation describes optional provider credentials for enhanced platform access. This is purpose-aligned, but users should notice that these credentials are not declared in the registry requirements.
export GITHUB_TOKEN=your_token export LINKEDIN_API_KEY=your_key export LINKEDIN_API_SECRET=your_secret export TWITTER_BEARER_TOKEN=your_token
Use least-privilege tokens, avoid personal high-privilege accounts, and revoke credentials when no longer needed.
Candidate personal data may persist locally or in connected recruiting systems, creating privacy and retention obligations.
The code defines local data storage and candidate profile fields that can include personal contact information and recruiter notes.
DATA_DIR = RECRUITER_DIR / "data" ... "邮箱": self.email, ... "LinkedIn": self.linkedin, ... "备注": "\n".join(self.notes)
Store only necessary candidate data, review records before saving or exporting, define retention/deletion practices, and avoid collecting non-public or irrelevant personal information.
Manual installation could pull newer package versions than the author tested.
The dependency list uses broad lower-bound version ranges. The provided artifacts do not show automatic installation, so this is a setup/provenance note rather than a direct execution concern.
requests>=2.28.0 beautifulsoup4>=4.11.0 lxml>=4.9.0
Install in an isolated environment and prefer pinned, reviewed dependency versions for production use.
Users may overestimate the compliance posture of a workflow that collects and stores candidate profile data across platforms.
The documentation makes broad privacy/compliance claims while the visible artifacts do not fully specify retention, consent, deletion, or platform-policy controls.
✅ Use only public information ✅ Comply with GDPR/privacy laws ✅ Provide opt-out option
Treat the compliance statements as guidance, not proof. Confirm legal basis, platform terms, opt-out handling, and data retention rules before using this for real recruiting.