HireMe Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions, you-are-now); human review is required before treating this skill as clean.
Before installing, review the shell setup steps, install Playwright only from a trusted environment, and understand where your resume data will live. The core PDF workflow appears local, but optional salary research and dashboard features can involve external web or cloud services. ClawScan detected prompt-injection indicators (ignore-previous-instructions, you-are-now), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Setup may install and run Playwright/Chromium locally.
The skill relies on a user-installed external package/runtime even though registry requirements list no required binaries or install spec. This is expected for PDF generation, but users should install from a trusted environment.
Playwright for PDF generation (`pip3 install playwright && playwright install chromium`)
Review the setup commands before running them, install Playwright from a trusted Python environment, and consider pinning dependency versions.
Your resume details will be saved on disk and could be exposed through local backups, sync tools, or other users with access to the machine.
The skill persistently stores names, contact information, work history, and other resume details for reuse across resume-building tasks.
Store extracted data in `data/resume-data.json` ... Resume data contains PII
Keep the data directory in a protected location, use disk encryption where possible, and delete local resume data when no longer needed.
If you build the optional dashboard, mishandling the service role key could expose or modify cloud-stored job and resume data.
The optional dashboard build spec introduces cloud credentials, including a high-privilege Supabase service role key, even though the core skill metadata declares no credentials.
`SUPABASE_SERVICE_ROLE_KEY` (server-side only)
Only use the service role key on trusted server-side code, never expose it to the browser, and verify Row Level Security policies before storing real resume data.
Users may believe every feature is fully local when optional features can involve web or cloud services.
These absolute privacy assurances are broader than the rest of the package, which also documents user-requested web_search/web_fetch salary research and an optional Supabase/Vercel dashboard.
No data exfiltration — Your resume data never leaves your machine ... No external API calls — Everything runs locally
Treat the local-only claim as applying to the core resume/PDF workflow, and explicitly confirm before enabling salary web research or the dashboard kit.