Skillv1.0.0

ClawScan security

Cn Resume Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 5:19 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent for analyzing resumes using the included Python script, requests no credentials, and has no install steps—though there are a couple of small documentation mismatches to be aware of.
Guidance: This skill appears to do what it says: run a local Python analyzer on resume text and produce scores and suggestions, and it does not request credentials or perform network calls itself. Before installing, consider: 1) The SKILL.md suggests accepting URLs and installing 'requests', but the bundled script does not fetch URLs—if your agent will download remote resumes, that network activity will happen outside the script and you should control/trust that downloader. 2) The repo declares '自动生成，无人工审查' (auto-generated, no human review) — review the script yourself and test with non-sensitive sample resumes to ensure it meets quality/privacy needs. 3) Verify your agent’s runtime will not forward resume contents to external services you don't intend. If you need URL downloading, either extend the script with explicit, audited network code or ensure the agent performs downloads under strict controls.

Purpose & Capability: okName/description match the implementation: a local Python resume analyzer that returns scores, checks, and suggestions. The SKILL.md and code both target resume analysis. Minor note: SKILL.md mentions optional 'pip install requests' for downloading network resumes and suggests accepting URLs, but the included script does not implement URL fetching.
Instruction Scope: noteRuntime instructions direct the agent to obtain resume content (text/file path/URL) and call scripts/resume_analyzer.py. The script accepts text via argv or stdin; it does not read arbitrary system files or perform network requests itself. If the agent downloads URLs or reads file paths outside the script, that behavior will occur outside the included code and should be controlled by the host agent.
Install Mechanism: okNo install spec and no external downloads—this is low-risk. The SKILL.md's optional 'pip install requests' is only a documentation hint and is not required by the provided code.
Credentials: okThe skill requests no environment variables, credentials, or config paths, which is proportionate to its stated purpose.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated agent-wide privileges. Autonomous invocation is allowed by default (normal for skills) but not combined with broad credentials or persistence here.