Skillv1.1.0

ClawScan security

Resume Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 22, 2026, 12:09 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions line up with its stated purpose: it is an instruction-only resume builder that reads/writes a local profile directory under ~/.openclaw/resume-builder and does not request external credentials or installs.
Guidance: This skill is internally consistent and only writes local files under ~/.openclaw/resume-builder, which is expected for a resume builder. Before installing: (1) confirm you are comfortable storing resume data in your home directory (it will persist there and be included in backups unless excluded); (2) avoid entering highly sensitive personal data (SSNs, bank details, etc.) into the profile—only include resume-relevant info; (3) consider restricting file permissions (e.g., chmod 600) or using an encrypted folder if you want stronger local protection; (4) note that the SKILL.md claims 'no external API calls'—that is an instruction, not an enforceable guarantee, so only proceed if you trust the agent/platform to honor that behavior. If you want stronger assurance, request the skill author provide signed code or an installable package that you can review before granting file-write permissions.

Purpose & Capability: okName/description (resume/CV creation, ATS checks, cover letters) matches the SKILL.md. The skill only requires basic file read/write/exec capabilities to create and manage a local profile directory; no unrelated credentials, binaries, or network access are requested.
Instruction Scope: okSKILL.md instructions are scoped to interactive conversation and local file operations (mkdir, read/write profile/settings/versions files under ~/.openclaw/resume-builder). It explicitly states no external API calls or network requests. There is no instruction to read unrelated system files or secrets.
Install Mechanism: okThis is an instruction-only skill with no install spec, no downloads, and no code files—lowest-risk install posture.
Credentials: okThe skill declares no required environment variables, no credentials, and no external config paths. The requested permissions (read/write/exec for local files) are proportionate to building and persisting resumes.
Persistence & Privilege: okalways:false and user-invocable:true (normal). The skill persists user resume data under ~/.openclaw/resume-builder which is appropriate for its purpose; it does not request system-wide or other-skills config access.