ClawHub
Back to skill
v1.0.3

GLM-V-Resume-Screen

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:34 AM.

Analysis

This skill matches its resume-screening purpose, but it uses a Zhipu API key and sends resume contents to Zhipu's model, so candidate data and credentials should be handled carefully.

GuidanceBefore installing, make sure you are comfortable sending candidate resumes and criteria to Zhipu's GLM-V API. Protect the ZHIPU_API_KEY, process only data you are authorized to share, and install PyMuPDF from a trusted Python environment if you need local PDF support.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
`PyMuPDF` is required (`pip install PyMuPDF`).

The local PDF workflow depends on a manually installed Python package. The dependency is disclosed and purpose-aligned, but package installation changes the local environment.

User impactUsers who need local PDF support may install an additional package into their Python environment.
RecommendationInstall dependencies from trusted sources, preferably in a virtual environment, and avoid running package installation commands from untrusted modifications of the skill.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
This script reads the key from the `ZHIPU_API_KEY` environment variable

The skill requires a provider API credential. This is expected for the stated Zhipu integration, but the key can authorize account usage and billing.

User impactAnyone using the skill must provide a Zhipu API key that could be charged or abused if exposed.
RecommendationUse a dedicated or least-privileged API key where possible, store it only in trusted configuration or environment variables, and rotate it if exposure is suspected.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
Local PDF files are converted page-by-page into images (base64) before sending to the model.

Resume contents, including local PDF pages, are transmitted to an external model provider. This is disclosed and central to the skill, but it involves sensitive candidate data crossing a provider boundary.

User impactCandidate resumes and screening criteria may be sent to Zhipu's service for processing.
RecommendationUse the skill only for resumes you are authorized to share with the provider, review applicable privacy/data-retention terms, and avoid including unnecessary sensitive information.