Back to skill
Skillv1.0.0
ClawScan security
简历优化技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 2:41 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only resume optimizer whose declared purpose, required resources, and runtime instructions are consistent and proportionate.
- Guidance
- This skill appears coherent and low-risk, but before installing or using it consider: (1) Privacy — resumes often contain sensitive PII (phone, email, ID numbers, employer data). Only paste or upload documents you are comfortable sharing and do not include sensitive identifiers. (2) Quantitative claims — the skill may suggest or insert numbers; confirm any added or inferred metrics as true before using them. (3) File access — if asked to provide a local file path or allow OCR, grant access explicitly and avoid giving access to unrelated directories. (4) External links/resources — verify suggested courses or links before following them. (5) Credentials — the skill should never request API keys, passwords, or cloud credentials for this purpose; treat any such request as suspicious. Overall, the skill is consistent with its description; proceed if you accept the above privacy precautions.
Review Dimensions
- Purpose & Capability
- okName/description (resume optimization) aligns with the SKILL.md: parsing resumes/JDs, scoring, keyword and STAR rewrites. No unrelated credentials, binaries, or install steps are requested.
- Instruction Scope
- noteInstructions stay within resume-optimization scope (parsing text/PDF/images, JD analysis, matching, rewrite). The doc suggests accepting resume/JD file paths and OCR for images; this can cause the agent to request or access user-supplied files or call external OCR tools. That behavior is expected for the task but is worth noting: the agent should only access files explicitly provided by the user and must not read arbitrary system files.
- Install Mechanism
- okNo install spec and no code files (instruction-only). This is the lowest-risk model: nothing is written to disk or downloaded by the skill itself.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The declared requirements are minimal and appropriate for the stated purpose.
- Persistence & Privilege
- okalways:false (default) and normal autonomous invocation allowed. The skill does not request permanent presence or modify other skills/configurations; privileges are proportionate.