Skillv1.1.0

ClawScan security

Smart Resume Optimizer Cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 11:19 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with a resume-optimization tool and makes no unusual install/credential requests, but its runtime instructions encourage automated edits (including invented quantitative claims) that users should carefully verify.
Guidance: This skill appears to do what it claims (resume scoring, ATS optimization, templates, JD matching), and it does not request credentials or install code. However: 1) Carefully review any automated edits—do not accept generated quantitative achievements or metrics unless you can verify them; the examples show the assistant may insert specific numbers (DAU, user counts) which could be inaccurate or dishonest. 2) Treat any uploaded resume content as sensitive personal data (names, contact info, employer history) and avoid including unnecessary PII if you have privacy concerns. 3) Because the skill's source/homepage is unknown, prefer running it in contexts where you manually review outputs rather than auto-submitting modifications or exports. 4) If you plan to pay or provide billing info for Pro features, confirm the payment flow and endpoint are legitimate before entering financial data.

Review Dimensions

Purpose & Capability: okName/description (简历优化、ATS兼容、JD匹配、模板、面试预测等) match the SKILL.md content. There are no unexpected required binaries, env vars, or config paths that would be unrelated to a resume tool.
Instruction Scope: concernSKILL.md is an instruction-only skill that describes operations like scoring, template substitution, JD matching, and '自动调整简历' with concrete rewrites (e.g., adding quantified metrics such as "DAU增长400%" or "用户从0到100万增长"). While this is within resume-optimization scope, it risks fabricating or overstating achievements if the agent inserts unsupported numeric claims. The instructions do not reference external endpoints or request unrelated system files, but they do imply handling personal/resume content (PII) which users should treat as sensitive.
Install Mechanism: okNo install spec, no code files to execute, and no downloads—lowest install risk. The skill is instruction-only and will not write additional binaries or fetch archives during install.
Credentials: okNo environment variables, credentials, or config paths are required. The declared requirements are proportional to the stated purpose.
Persistence & Privilege: okalways is false and there is no indication the skill requests elevated persistence or alters other skills. Versioning described is conceptual in the documentation; the skill itself does not request system-level persistence or cross-skill config changes.