Skillv1.0.0

ClawScan security

resume · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 5:41 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only resume/project summarizer whose declared inputs and behavior align with its description and it requests no extra credentials or installs.
Guidance: The skill appears coherent: it asks you to paste links or upload documents and then structures and rewrites project experiences into resume bullets using the provided templates. Before using it, consider: (1) do not upload extremely sensitive documents (ID numbers, bank details) unless you trust the platform's processing and retention policy; (2) links should be publicly accessible if you expect the assistant to fetch them — never share account credentials or private API tokens; (3) the metadata claims no long-term storage but that's a policy statement you may want to confirm with the platform; (4) if the assistant later asks you to provide service credentials (Feishu/企微 tokens) or to run external installs, treat that as a red flag and pause. If you want a stricter privacy posture, paste only the project text you want summarized and avoid uploading full original resumes or documents containing unrelated personal data.
Findings: [no_findings] expected: Regex scanner had no code files to analyze (instruction-only). Absence of findings is expected given no executable code; review runtime behavior (what the platform will do with uploaded docs) before sending sensitive data.

Review Dimensions

Purpose & Capability: okName/description (整理项目并生成按岗位定制的简历) match the included SKILL.md and templates. Declared inputs (links, PDF/Word, images, text) are appropriate for this purpose and there are no unexpected environment variables, binaries, or cloud credentials requested.
Instruction Scope: noteRuntime instructions focus on asking the user for links/files/text, extracting structured fields, de-noising and reorganizing project info, and asking follow-ups — all within the stated resume-summarization purpose. Note: SKILL.md mentions OCR and fetching content from online doc links (user-provided), but does not specify which tool/endpoint will perform OCR or retrieval; users should expect uploaded documents or public links will be processed and that the skill may surface sensitive personal data contained in those inputs.
Install Mechanism: okNo install spec and no code files — instruction-only skill with bundled templates and examples. This minimizes on-disk execution and supply-chain risk.
Credentials: okNo environment variables, credentials, or config paths are required. The skill's declared capabilities (parsing pasted links/files and asking clarifying questions) don't justify any additional secrets or system access.
Persistence & Privilege: okalways is false and the skill does not request permanent presence or ask to modify other skills. _meta.json states '用户数据仅用于生成简历，不长期存储' but that is a policy claim in metadata rather than an enforceable guarantee.