Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Recruiter Assistant
v1.4.2A professional recruitment workflow assistant. Evaluates resumes against dynamic requirements and AI proficiency, provides critical Pros/Cons analysis, and p...
⭐ 0· 712·6 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (resume screening, salary benchmarking, Feishu report generation) align with the included scripts and reference files. However, the runtime expects agent-side tools (feishu_doc, message) and an external binary (pdftotext) even though the skill's metadata declares no required binaries or credentials. Those runtime dependencies should be declared or justified.
Instruction Scope
The scripts and SKILL.md instruct the agent to read full resume contents, print them to stdout, generate Feishu docs, and present public Feishu links directly in chat. Printing full resume text and instructing creation/publication of documents with candidate PII is a high privacy risk. The instructions also tell the agent to call the feishu_doc tool and to send HR notifications via a 'message' tool — these external transmissions of candidate data are not constrained or qualified in the documentation.
Install Mechanism
There is no install spec (instruction-only), which minimizes installation risk. But the scripts call the pdftotext binary and rely on a Node runtime; pdftotext is not declared in required binaries, so a missing dependency or hidden requirement exists. No network download/install steps are present.
Credentials
The skill declares no required environment variables or credentials, yet the runtime instructions explicitly direct calling a feishu_doc tool (and mention a docToken in one script). That implies the need for Feishu authentication or agent tool permissions that are not declared. The skill therefore asks (via behavior) for access to external services and candidate data without documenting what credentials or scopes will be used — disproportionate given the sensitivity of PII.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It does read and write temporary files (e.g., /tmp) and generates per-candidate documents, which are reasonable for its purpose.
What to consider before installing
This skill appears to do what its name says, but proceed cautiously. Key points to check before installing or running: 1) pdftotext is required by the scripts but not declared — install and test it separately. 2) The scripts print entire resume contents to stdout and instruct the agent to create and publish Feishu documents and to post summaries to HR; this will transmit candidate PII to external services. Confirm where Feishu docs are stored, who can access public links, and what authentication/scopes the feishu_doc and message tools use. 3) There are no declared credentials or env vars for Feishu; verify how authentication is handled by your agent runtime and limit permissions/scopes. 4) If you will process real candidate data, run the skill in an isolated environment (or with sanitized/test resumes) until you confirm behavior and storage/privacy controls. 5) Consider asking the publisher to: declare pdftotext as a required binary, document required tool permissions, avoid printing raw resumes to logs, and add explicit guidance or opt-in for publishing public links. If any of these are unacceptable for your privacy/security posture, do not use the skill with real candidate data.Like a lobster shell, security has layers — review code before you run it.
automationvk97anex088rx4tt83sxt2mm60d81rsj3golangvk97anex088rx4tt83sxt2mm60d81rsj3hrvk97anex088rx4tt83sxt2mm60d81rsj3latestvk971122tpahvxk6tmvsdm73p8d81wj1nphpvk97anex088rx4tt83sxt2mm60d81rsj3recruitmentvk97anex088rx4tt83sxt2mm60d81rsj3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.