Skillv1.0.0

ClawScan security

HireMate — AI招聘助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 10:51 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to be an AI recruiting toolkit and the included files, runtime instructions, and required resources are coherent with that purpose — no unexplained credentials, network endpoints, or install steps are present.
Guidance: This skill appears internally consistent with its stated recruiting purpose and contains local Python scripts plus reference JSON files. Before installing or executing: (1) review the bundled scripts (especially resume/IO handling scripts) to confirm they do not process or transmit sensitive data or call external services; (2) run them in a sandbox or isolated environment if you cannot audit the code yourself; (3) be aware that premium features are local scripts — no credentials are requested, but if you adapt the skill to fetch live salary data or integrate ATS systems, you'll need to provide appropriate credentials then; (4) keep salary/reference data up to date as noted. Confidence is high based on provided files; if there are additional hidden files or network-capable code not shown, re-evaluate.

Purpose & Capability: okName/description (JD generation, screening, scoring, match analysis, salary reports) aligns with the included reference data and Python scripts. Required env/configs are empty and there are no unrelated credentials or binaries requested.
Instruction Scope: okSKILL.md instructs the agent to run local Python scripts inside the skill directory and describes inputs/outputs. The instructions do not attempt to read system-wide files, request unrelated environment variables, or call unknown external endpoints.
Install Mechanism: noteNo install spec (instruction-only) which is low risk, but the package bundles multiple executable Python scripts and JSON data files. Executing those local scripts will run code from this untrusted source — review scripts (score_resume.py, match_candidate.py, etc.) before running in your environment or run them in a sandbox.
Credentials: okThe skill does not request any environment variables, credentials, or config paths. All data it uses is shipped in the skill (templates, question DB, salary data); this is proportionate to its recruiting purpose.
Persistence & Privilege: okalways is false and the skill does not declare any hooks to persist into global agent config. It does not request elevated privileges or alter other skills' configs.