ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

batch-resume-screener

v1.0.0

Batch screens multiple resumes against multiple job positions using strict evaluation rules from java-resume-screener skill. Invoke when user asks to batch s...

1· 101·0 current·0 all-time
by@mlin4020
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims multi-format support (PDF/DOC/DOCX) and integration with a 'java-resume-screener' rule set, but the included script only extracts text from PDF files. The package metadata declares no required binaries or environment (none listed), yet the workflow requires a Python runtime and the pdfplumber library (not declared). This mismatch suggests sloppy packaging and could cause missed resumes (DOC/DOCX ignored) or failed runs.
Instruction Scope
SKILL.md scopes the work to extracting resume text, marking matches, scoring, and producing JSON/markdown/CSV reports — all within the stated purpose. It explicitly avoids creating additional scripts and does not instruct contacting external endpoints. However, the skill will read and write resume contents (sensitive personal data) to local files and produce aggregate outputs; privacy/retention handling is not specified and should be considered.
!
Install Mechanism
This is instruction-only (no install spec), which lowers risk, but the README instructs installing pdfplumber via pip. The registry metadata did not declare Python or pdfplumber as requirements. There's no automated install step provided, so runtime failures or a missing dependency are likely if the agent environment doesn't already provide them.
Credentials
The skill requests no environment variables, credentials, or config paths — appropriate for a local resume-processing tool. There are no requests for unrelated tokens or secrets.
Persistence & Privilege
always:false and model invocation defaults are unchanged. The skill does write output files (extracted .txt, JSON results, reports) to local directories as part of normal operation; it does not request persistent platform-wide privileges or modify other skills.
What to consider before installing
This skill appears to do what it says (batch-screen resumes) but has implementation gaps you should address before use: - Dependency & runtime: The included script requires Python and the pdfplumber package, but the skill metadata doesn't declare these. Ensure the agent environment has Python 3 and pip-installed pdfplumber (pip install pdfplumber) before running Step 1. - Format support mismatch: The README/SKILL.md advertise DOC/DOCX support, but step1_extract_resumes.py only extracts PDFs. If you have DOC/DOCX resumes, they will be ignored unless you add a DOCX/DOC extractor. Test on a small sample to confirm behavior. - Sensitive data: Resumes contain personal data. The skill writes extracted text and evaluation JSON files to disk — confirm where files are stored, how long they are retained, and who can access them. - Integration claims: SKILL.md mentions rules from 'java-resume-screener' but no linkage or dependency is provided. Verify scoring rules and any expected external resources. If you still want to proceed: run the script in a controlled environment, verify it extracts the expected files, and review outputs on sample data before processing production resumes.

Like a lobster shell, security has layers — review code before you run it.

latestvk970g9rhxhty7f9jehpzde1vs1832vh2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments