HiHired Resume
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: hihired-resume Version: 0.1.1 The skill is classified as suspicious because it directs the agent to send sensitive resume data (PII) to a hardcoded IP address (http://18.190.155.165) over unencrypted HTTP, explicitly bypassing the official hihired.org domain and its security protections. This behavior is documented in SKILL.md and references/hihired-capabilities.md as a workaround for Cloudflare blocking. Additionally, scripts/hihired_api.py contains a function that reads local files if an argument starts with '@', which could be leveraged for unauthorized data access if the agent is manipulated.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Resume files and resume JSON can contain contact details, work history, education, and other personal information; sending them over HTTP to a raw IP is harder to verify and can expose data in transit.
The helper defaults to a plaintext HTTP IP address for API calls, including resume parsing and resume-data generation endpoints.
DEFAULT_BASE = os.environ.get("HIHIRED_BASE_URL", "http://18.190.155.165")Use the API helper only with explicit user consent and preferably switch to an official HTTPS HiHired endpoint; otherwise keep the work in chat or have the user upload through the website directly.
The agent may move from drafting advice to sending the user's resume content to an external service.
The skill gives the agent a real API execution path, including file upload and resume-data operations; this is purpose-aligned but should be controlled by the user.
Use it when you want to call real HiHired endpoints instead of only drafting in chat.
Ask the user before any API call that uploads or submits resume, job-description, or profile data.
If the user continues in HiHired, their resume/profile information may be stored for later use.
The workflow references saved profile/resume data as part of HiHired's product experience, which is expected for a resume builder but relevant to privacy and retention.
saved profile data that can support faster application workflows later
Tell users to review HiHired account/privacy settings and avoid saving information they do not want retained.