Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
UP 简历求职助手
v1.0.1UP 简历 AI 求职助手。创建专业简历、搜索校招/社招/实习岗位、JD 对照优化、简历诊断、每日求职监控、智能投递指导。当用户说"创建简历"、"编辑简历"、"搜索校招"、"找工作"、"优化简历"、"投递"、"监控校招"时使用。
⭐ 0· 237·0 current·0 all-time
by叁拾@hellosanshi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description map cleanly to the listed MCP tools (resume.*, campus.*, etc.) and the SKILL.md instructs only MCP API calls and resume/job workflows that are appropriate for a resume/job-search assistant.
Instruction Scope
Runtime instructions only call the MCP tools the skill needs. However the docs instruct running 'claude mcp add ... --api-key YOUR_API_KEY', running 'claude -p' inside monitor.sh, using npx, and creating local files; these implicit binary/tool dependencies (claude CLI, Node/npx) are not declared in the registry metadata. The skill also creates and reads local files (~/ .jobsclaw/, ats-records/) and launches scheduled tasks — all within the stated feature set, but worth explicit user consent.
Install Mechanism
No formal install spec is in the bundle, but SKILL.md instructs the user to run an npx command (npx @upcv/mcp-server). That pulls code from npm at runtime — a moderate-risk operation. The skill does not document verifying the package origin or the npm package's integrity. This is expected for the feature but should be noted as a network download/install step.
Credentials
The skill requires an API key from clawjob.upcv.tech for the MCP server, which is appropriate. However the metadata lists no required env vars and gives no guidance about how the API key will be stored/managed after 'claude mcp add ... --api-key', leaving ambiguity about credential persistence and where secrets are kept.
Persistence & Privilege
The skill instructs creating persistent artifacts: monitor.sh, a LaunchAgents plist or a cron job, a local reports directory (~/.jobsclaw/reports) and ats-records/ files. These are consistent with a job-monitor feature, but they introduce persistent, autonomous behavior on the host (scheduled queries and local storage). The skill is not 'always: true', but installation will create persistent scheduled tasks and local data files that the user should explicitly review and approve.
What to consider before installing
This skill appears to do what it claims, but review these before you proceed:
1) Confirm tooling: the instructions rely on the 'claude' CLI and on Node's npx; these binaries are not listed in the metadata. Make sure you have/expect those tools on your machine.
2) API key handling: the SKILL.md asks you to supply an API key to 'npx @upcv/mcp-server' but doesn't explain how/where that key is stored. Ask or inspect how the MCP server/claude stores credentials before handing over secrets.
3) npm package risk: the install step uses 'npx @upcv/mcp-server' (downloads code from npm). Verify the package source (e.g., GitHub repo) and review its code or reputation before running.
4) Persistent changes: the skill creates monitor.sh, writes reports to ~/.jobsclaw/, creates ats-records/ and sets cron/launchd jobs. Inspect monitor.sh and the plist/cron entry before enabling automatic runs and ensure you consent to scheduled network queries.
5) Data disclosure: monitor.sh uses 'claude -p' to run queries automatically; consider what data will be sent in those scheduled queries and where results are stored. Avoid storing highly sensitive personal identifiers in recorded files; the skill itself warns not to auto-fill ID numbers.
If you want to proceed, verify the upcv/clawjob service legitimacy (clawjob.upcv.tech), inspect the npm package @upcv/mcp-server, and review any generated scripts and scheduled-job definitions before loading them.Like a lobster shell, security has layers — review code before you run it.
latestvk97bcwskqanw8ypj1zjrdn760x82twbe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.