LinkedCareer
v1.0.14Career management and resume generation skill
⭐ 1· 247·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (career management & resume generation) align with required binaries (node), requiredPaths (~/.openclaw/.../user_data), and package dependency (docx for Word export). The code focuses on onboarding, memory, resume generation and JD matching — these are expected for the stated purpose. Minor mismatch: skill.json's files list references several template .md files that are not present in the manifest (the repo contains resume_professional.html instead). This is an integrity/documentation inconsistency but not an obvious security issue.
Instruction Scope
SKILL.md and the code instruct local CLI operations (init, record, resume, import, find job). Runtime logic reads/writes local files under the user_data directory and processes user-provided text/files. There are no network calls in the runtime code. The import command reads a user-specified file path (expected behavior for import) — this requires user-supplied path but does not read other system config. The SKILL.md states install-time network use to fetch docx from npm; that is installation-time only and documented.
Install Mechanism
Installation uses 'npm install --production' (declared in SKILL.md and skill.json) to fetch docx@8.5.0. npm is a standard registry install; this is proportionate for producing .docx outputs. Note: installing npm packages pulls code from the public registry — you should verify the dependency (docx) and run the install in a controlled environment if you have supply-chain concerns.
Credentials
The skill requests no environment variables or secrets. It reads the user's HOME (or USERPROFILE) to store data under ~/.openclaw/workspace/LinkedCareer/user_data, which matches the declared requiredPaths. No credentials, tokens, or unrelated environment access are requested or used.
Persistence & Privilege
always is false and the skill is user-invocable (normal). It stores its own data under a dedicated user_data path and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (not a standalone concern) and should be fine given the limited scope.
Assessment
What to consider before installing:
- Functional audit: inspect or grep src/core/resume.js for the function generateProfessionalWord referenced by src/index.js — some code appears truncated and that export may be missing, which would cause runtime errors.
- npm dependency review: npm install will download docx@8.5.0. If you have supply-chain concerns, verify the package/version and consider installing in a sandbox or checking the package source on npm/GitHub first.
- File-list mismatch: skill.json lists template .md files that are not present in the package — this is likely a packaging/documentation error. If you depend on certain templates, verify their presence.
- Data access: the skill stores and reads resumes and career data under ~/.openclaw/workspace/LinkedCareer/user_data. Ensure you are comfortable with that local path and backup/remove sensitive files as needed.
- No runtime network or secret access detected: the runtime code does not perform outbound network calls or request credentials, so data should remain local at runtime. If you plan to use Word/PDF export features, double-check how those are implemented (some export flows may call external tools — here the code claims to reuse docx locally).
If you are not comfortable, run npm install and the skill in an isolated environment, or review the docx dependency and the remaining source code (especially any truncated/omitted files) before granting it to a production agent.Like a lobster shell, security has layers — review code before you run it.
latestvk97bsvarphrxs20wnncy9d7z3x82zjc0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode