Skillv1.0.1

ClawScan security

Smart Recruitment Cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 6:22 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description and pricing claim integration and deployment features (API, ATS integration, private deployment), but the SKILL.md contains no runtime instructions, no install steps, and no credential requirements — the implementation detail is missing or inconsistent.
Guidance: This package appears incomplete or misleading: it promises API/ATS integration and private deployments but provides no code, no install, and no credential requirements. Before installing or using it, ask the publisher for: (1) concrete runtime instructions (what endpoints or commands the agent will call), (2) required credentials and where they are stored, (3) how candidate data is collected, transmitted, stored, and deleted (encryption, retention, access controls), (4) a privacy/security policy and compliance details (GDPR/local laws), and (5) a demonstration or source code you can inspect. Because this skill deals with sensitive HR data, do not provide real candidate data until you have verified the implementation and data-handling practices. If the publisher cannot supply clear technical details, treat the skill as incomplete and do not enable it for production use.

Review Dimensions

Purpose & Capability: concernThe name/description advertise an AI recruitment system with API, ATS integration, private deployment, and monthly plans, but the package contains only a short SKILL.md with metadata and pricing. There are no install specs, code files, or declared environment variables to support API access, ATS integration, or private hosting — these capabilities are unsupported by the provided artifacts.
Instruction Scope: concernThe SKILL.md provides metadata and tiered pricing but no concrete runtime instructions for the agent (no APIs to call, no commands, no data handling steps). This is vague and grants no transparency about how the skill would perform screening, match candidates, or manage interviews; lacking instructions makes it unclear what the agent would actually do when invoked.
Install Mechanism: okThere is no install specification and no code files, which minimizes the risk of arbitrary code being written or executed on the host. From an installation perspective this is low-risk but also contributes to the incoherence noted above because expected integrations are not implemented.
Credentials: noteThe skill declares no required environment variables or credentials. That would be reasonable for a purely conversational helper, but contradicts the SKILL.md's advertised features like 'API接口', 'ATS系统集成', and '私有化部署', which normally require credentials, endpoints, or install steps. The absence of such requirements is a mismatch.
Persistence & Privilege: okThe skill does not request permanent presence (always: false) and uses default autonomous-invocation settings. There is no evidence it modifies other skills or system settings. This is normal and not a concern by itself.