Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
HR面试评价助手
v1.0.0🎯 智能面试评估助手 通过口令触发,自动结合JD文字+简历文档+面试记录文档,生成专业面试评估报告 【触发口令】 面试评估、生成评估报告、候选人评估、面试评价、评估候选人 【使用方式】 1. 发送触发口令(如'面试评估') 2. 粘贴JD文字 3. 上传简历PDF/Word 4. 上传面试记录PDF/Word(...
⭐ 1· 175·0 current·0 all-time
byCIO@cloudmusiccio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (HR interview evaluator with resume/interview-record parsing and report export) aligns with requiring file parsing and PDF generation. However the metadata lists dependencies (file-parse, nos-cli, weasyprint) and the SKILL.md calls out local scripts (scripts/export_report.py, scripts/generate_radar.py) that are not present in the package. 'weasyprint' (PDF export) is reasonable; 'nos-cli' is unexplained and may be unrelated. Requiring tools or components that aren't provided is an incoherence.
Instruction Scope
The SKILL.md instructs the agent to request JD text and uploaded resume/interview files and to run parsing and export workflows (including Python scripts) and to call LLM-based parsing functions. It also instructs generating and exporting PDF/PNG files. There is no guidance on where uploaded candidate data is processed/stored or whether data is sent to external services. The instructions reference scripts and code (export/generate scripts) that are not included in the skill bundle, meaning the runtime behavior is underspecified and may rely on external tooling or other skills.
Install Mechanism
This is an instruction-only skill with no install spec or code files (low install risk). However, the declared requirements (weasyprint, nos-cli, file-parse) imply runtime dependencies that the skill does not install or provide; absent installation instructions, it's unclear whether the platform must supply these or if the skill expects arbitrary execution environment changes.
Credentials
The skill requests no environment variables, no credentials, and no config paths — appropriate for an on-platform document-processing helper. That said, the SKILL.md uses LLM parsing calls (parse_jd_with_llm) but does not disclose whether candidate data will be sent to external APIs or logged; the lack of declared endpoints/credentials leaves data flow unclear.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill does include activation keyword/file triggers, but there is no indication it requests persistent system-wide privileges or modifies other skills. No evidence it writes permanent credentials or config.
Scan Findings in Context
[no_regex_findings] expected: Regex scanner found nothing to analyze because this is an instruction-only skill with no code files. That is expected, but absence of findings is not evidence that runtime behavior is safe.
What to consider before installing
Before installing, ask the publisher these questions: (1) Where do uploaded resumes and interview records get processed and stored? Do they leave your platform or the organization's network? (2) Provide the missing code or confirm which platform-provided components implement scripts/export_report.py and scripts/generate_radar.py referenced in SKILL.md. (3) Explain what 'nos-cli' is and why it's required; provide install instructions or justification for all declared dependencies. (4) Confirm data retention, logging, and deletion policies for candidate PII and whether generated reports are persisted or transmitted. (5) If you require local execution of export scripts, ensure the platform has trusted implementations (weasyprint, Python) and vet them. If these questions are not answered satisfactorily, do not enable the skill for sensitive candidate data.Like a lobster shell, security has layers — review code before you run it.
latestvk97cehshkwr9kgfct6env8cfa18362ha
License
MIT-0
Free to use, modify, and redistribute. No attribution required.