Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Harvard Style CV Creator
v1.0.1Expert engine for creating Harvard-standard CVs (resumes) and cover letters following the official Harvard Office of Career Services guidelines. Use this ski...
⭐ 0· 34·0 current·0 all-time
byDavid Escobar@midnightstudioai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill legitimately needs a way to produce .docx files (it references the Node.js 'docx' package). However the registry metadata declares no required binaries or dependencies while SKILL.md and README both say Node.js and the 'docx' package are required. README adds a dependency on a separate 'docx' public skill at /mnt/skills/public/docx/SKILL.md that is not declared nor present in the manifest. These mismatches between stated requirements and actual instructions are incoherent.
Instruction Scope
SKILL.md contains explicit shell-style instructions ('npm list -g docx | grep docx || npm install -g docx') instructing the agent/environment to check for and possibly perform a global npm install. The skill also instructs the agent to 'Read references/harvard-rules.md' but the provided file is named harvard-rules.md at the repo root (path mismatch). The skill further claims 'All necessary patterns are included below' but there are no runnable Node scripts in the bundle. These issues mean the SKILL.md both expects to run system commands and relies on files/skills that aren't consistently referenced.
Install Mechanism
There is no formal install spec in the registry, yet the instruction text instructs a global npm install if 'docx' is missing. Asking an agent/environment to run 'npm install -g' is a high-impact action (modifies global environment) and is not declared in the skill manifest. README mentions a dependency on a public skill at a platform-specific path, which is another install/runtime assumption not recorded in metadata.
Credentials
The skill does not request any environment variables, credentials, or config paths. There is no evidence it attempts to access secrets. The primary concern is un-declared runtime modification (npm global install), not credential access.
Persistence & Privilege
The skill is not marked 'always' and does not request elevated platform privileges. However, its instructions to perform a global npm install could leave persistent packages on the host, which is a form of lasting system modification. This is a lower-level persistence concern rather than a declared privilege escalation.
What to consider before installing
This skill appears to do what it says (generate Harvard-format .docx resumes/cover letters) but contains inconsistent and potentially risky runtime instructions. Before installing or enabling it: 1) verify you are comfortable allowing the agent/environment to run system commands — the SKILL.md suggests doing a global 'npm install -g docx'; prefer local installs or a bundled implementation instead of global package installs; 2) ask the publisher/source for the missing Node script (there are no code files) and for clarification about the README claim that a public 'docx' skill must exist at /mnt/skills/public/docx/SKILL.md; 3) ask the author to remove or make optional any automatic install steps and to correct file path references (references/harvard-rules.md vs harvard-rules.md); 4) if you cannot confirm the above, avoid allowing the agent to autonomously execute install commands — run any required installs manually in a controlled environment or sandbox first. If you need help drafting a safer installation checklist or a question to send the publisher, I can help.Like a lobster shell, security has layers — review code before you run it.
latestvk976jvac8ycmxcr9nyhswfc2z5840b1j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.