Skillv1.0.1

ClawScan security

Smart Resume Optimizer Cn Payment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 5:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill advertises a paid AI resume‑optimization service but contains no runnable instructions, APIs, or code to actually perform the described tasks and instead embeds off‑platform payment accounts — this mismatch and the out‑of‑platform payment request are suspicious.
Guidance: This package looks like a marketing page rather than a working skill. It asks you to pay via Alipay/QQPay accounts embedded in the SKILL.md but provides no code, API, or instructions that would actually perform resume optimization. That combination is suspicious: you could be asked to pay and receive nothing, or to send sensitive resume data off‑platform without protections. Do not send payment based solely on this skill. Before installing or invoking, ask the author to provide: (1) concrete runtime instructions or an API endpoint the agent will call, (2) how payments are processed (platform payment flow vs. manual off‑platform account), (3) privacy/retention policy for resumes and personal data, and (4) a refund/cancellation policy. Prefer skills that integrate via documented APIs or platform payment systems rather than ones that embed direct payment accounts in the SKILL.md. If you want help vetting any additional info the developer provides, share that and I can re‑evaluate.

Review Dimensions

Purpose & Capability: concernThe name/description promise AI resume scoring, optimization, cover‑letter generation and interview prep, but the skill has no code, no API endpoints, no required binaries or credentials, and no operational instructions that would allow the agent to perform those tasks. The SKILL.md is marketing/capabilities text rather than actionable runtime instructions, so the declared purpose is not supported by any capability in the package.
Instruction Scope: concernSKILL.md contains only a product description and explicit off‑platform payment details (Alipay and QQPay accounts). It does not instruct the agent how to process resumes, nor how to collect or transmit user data, nor how to contact an API. Including payment account details in the instructions is noteworthy because it effectively directs users to perform payments outside the platform without any verifiable mechanism for service delivery or refund handling.
Install Mechanism: okThere is no install specification and no code files; nothing is written to disk and there are no third‑party packages installed. From an execution/install perspective this is low risk, but also explains why the skill cannot actually perform work.
Credentials: okThe skill requests no environment variables, credentials, or config paths — which is proportionate to a purely descriptive/marketing SKILL.md. However, the presence of explicit payment account identifiers (in metadata and the document) is outside normal skill metadata and raises a trust/fraud concern even though no secrets are requested.
Persistence & Privilege: okThe skill does not request always:true or any elevated persistence, and there is no indication it would modify other skills or global configuration.