Back to skill
Skillv0.1.1
ClawScan security
Resume Rocket · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 23, 2026, 2:44 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill mostly implements what it claims (resume parsing, LLM-based rewriting, optional auto-apply), but its runtime instructions and code contain several important inconsistencies and privacy/payment risks you should understand before installing.
- Guidance
- Key things to consider before installing/use: - Privacy: Despite the SKILL.md claim that résumé data 'does not upload to the cloud', the tool sends resume fragments and JD text to the configured LLM provider when doing rewrite or generating interview cards. That means your resume content will be transmitted to whichever LLM service you configure. If you are concerned about sensitive personal data, do not enable LLM features or scrub PII first. - Do NOT share your personal LLM API key with the developer or anyone else. The repo/ docs ask users to paste keys for testing — you should refuse. Configure and use your own key locally instead. - License/payments: The project uses a local, HMAC-based offline license scheme with a default secret baked into the code. If published with that default secret, attackers (or anyone with the repo) could generate valid activation codes to bypass paid gating. If you plan to use or distribute this skill, replace RR_LICENSE_SECRET with a secure secret and move license verification to a server you control. - Private payments / off-platform activation: The payment flow described (QR + manual activation via codes) is off-platform and hard to audit. Expect limited buyer protections and manual delivery delays. - Auto-apply risk: The Pro auto-apply feature automates applications to job platforms and admits the risk of account suspension; use conservatively and prefer manual control. - If you want to proceed: audit or remove the scripts that generate licenses (scripts/gen-license.py) and the default secret before publishing; run the code locally using your own LLM key; never give your key to the maintainer; and verify the skill.json pricing_server usage if you expect server-side verification. If you are uncomfortable with these issues, mark the skill as untrusted or require more changes from the author before using.
Review Dimensions
- Purpose & Capability
- noteCode and SKILL.md align with the stated purpose: parsing resumes, extracting JD keywords, scoring, rewriting via LLM, exporting DOCX/MD, and a Pro auto-apply flow (stubbed call to boss-zhipin). Minor mismatch: skill.json includes a pricing_server URL that the code does not call (unused/inconsistent). Overall capabilities match the description.
- Instruction Scope
- concernSKILL.md claims '简历数据不上传云端', but the code sends resume snippets and JD text to remote LLM providers via the OpenAI client (rewriter.generate and interview generation). Additionally, the documentation and DAY2 report explicitly encourage users to hand over their LLM API key to the developer for testing — that's a social-engineering/privacy risk and not required for normal operation (the code accepts a local key but should never require sending it to third parties). The Pro auto-apply flow uses a local subprocess and currently only prints a stub; the code does attempt to perform network scraping of JD URLs (requests) which is expected for JD fetcher.
- Install Mechanism
- okThere is no remote arbitrary download/install payload. Dependencies are standard Python packages listed in requirements.txt (python-docx, pdfplumber, requests, openai). No install spec that fetches code from untrusted URLs and no archive extraction. This is proportionate to the task.
- Credentials
- concernThe skill sensibly requests an LLM API key (RR_LLM_KEY or common fallbacks) which is necessary for rewrite/interview features. Concerns: (1) SKILL.md and in-repo docs encourage users to share their API key with the developer for testing — unnecessary and risky. (2) The license system uses a local HMAC secret (RR_LICENSE_SECRET) hard-coded default in the repo; publishing that secret allows anyone to generate valid-looking activation codes locally, undermining the paid gating. (3) skill.json marks llm-key required but the code gracefully degrades without a key; this inconsistency may mislead install-time validation.
- Persistence & Privilege
- noteThe skill does not request elevated system privileges or 'always' installation. It writes a usage file under the user's home (~/.openclaw/resume-rocket-usage.json) and outputs to a local ./output directory — expected for this tool. Auto-apply could perform many outbound requests (to job sites) when used in Pro mode; that behavior is opt-in and gated by the license check, but bear in mind account risk when using automated application.