UP 简历求职助手
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent resume and job-search assistant, but it deserves review because it installs an external MCP server with an API key and can create persistent daily background jobs, with one unsafe cron cleanup instruction.
Before installing, make sure you trust the UPCV MCP server and the API key access it receives. Review any generated monitor.sh, launchd, or cron entries before enabling daily monitoring, and replace any `crontab -r` stop guidance with a scoped removal of only this skill's scheduled task. Keep ATS records free of sensitive personal identifiers and confirm resume edits or deletions before applying them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Trying to stop this monitor could accidentally disable unrelated scheduled jobs the user relies on.
`crontab -r` removes the user's entire crontab, not just this skill's monitor entry, and it is presented as a stop-monitor command without a clear warning about collateral impact.
如何停止监控(提供 launchctl unload / crontab -r 命令)
Use a scoped removal method, such as unloading only the specific launchd plist or editing/removing only the specific cron line; avoid recommending `crontab -r` unless the user explicitly wants to delete all cron jobs.
The monitor may continue running daily, using the user's local Claude setup and UPCV access until it is disabled.
The skill intentionally creates a recurring background task for daily job monitoring; this is disclosed and purpose-aligned, but it means the agent can run later outside the immediate chat session.
创建 `monitor.sh` 脚本 + launchd/cron 定时任务
Only enable monitoring if you want ongoing automation, review the generated script/plist/cron entry, and keep a clear stop command for the specific task.
The external MCP package will receive the API key and handle resume/job operations, so its provenance matters.
Core functionality is delegated to an external npm MCP server that is not included in the reviewed artifacts and is not version-pinned in the documented install command.
claude mcp add upcv -- npx @upcv/mcp-server --api-key YOUR_API_KEY
Install only if you trust the UPCV MCP package, consider pinning a known version, and review the package/source before use.
Your resume content and contact details may be accessed or changed through the UPCV account integration.
The skill uses an API-backed MCP integration that can read, update, export, and delete resume data in the user's UPCV account; this is expected for a resume assistant and deletion is described as requiring confirmation.
`resume.list` | `resume.get` | `resume.updateBasics` | `resume.delete`(需用户确认)
Use a dedicated trusted API key, review edits before applying them, and require explicit confirmation for destructive actions.
Saved ATS notes may influence future application guidance and could expose private application details if stored carelessly.
The auto-apply workflow stores and reuses local ATS form-structure notes across later applications, which is purpose-aligned but creates persistent context that can become stale or include sensitive details if users add them.
读取 memory 文件 `ats-records/` 目录...将 ATS 表单结构记录到 memory 文件:`ats-records/{ats-type}.md`Review and clean the `ats-records/` files periodically, and do not store secrets, ID numbers, or other highly sensitive personal data in them.