HireMe Pro
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: normieclaw-hireme-pro Version: 1.0.3 The HireMe Pro skill bundle provides career coaching features that require high-risk capabilities, including shell execution for PDF generation (scripts/generate-resume-pdf.sh), network access for job fetching and salary research, and the management of sensitive PII. Although the bundle incorporates robust security controls—such as path validation, a Playwright request interceptor to prevent data exfiltration, and explicit prompt-injection defenses in SKILL.md—the presence of these powerful tools for file, shell, and network access warrants a suspicious classification according to the provided criteria for risky capabilities without clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Setup may install and run Playwright/Chromium locally.
The skill relies on a user-installed external package/runtime even though registry requirements list no required binaries or install spec. This is expected for PDF generation, but users should install from a trusted environment.
Playwright for PDF generation (`pip3 install playwright && playwright install chromium`)
Review the setup commands before running them, install Playwright from a trusted Python environment, and consider pinning dependency versions.
Your resume details will be saved on disk and could be exposed through local backups, sync tools, or other users with access to the machine.
The skill persistently stores names, contact information, work history, and other resume details for reuse across resume-building tasks.
Store extracted data in `data/resume-data.json` ... Resume data contains PII
Keep the data directory in a protected location, use disk encryption where possible, and delete local resume data when no longer needed.
If you build the optional dashboard, mishandling the service role key could expose or modify cloud-stored job and resume data.
The optional dashboard build spec introduces cloud credentials, including a high-privilege Supabase service role key, even though the core skill metadata declares no credentials.
`SUPABASE_SERVICE_ROLE_KEY` (server-side only)
Only use the service role key on trusted server-side code, never expose it to the browser, and verify Row Level Security policies before storing real resume data.
Users may believe every feature is fully local when optional features can involve web or cloud services.
These absolute privacy assurances are broader than the rest of the package, which also documents user-requested web_search/web_fetch salary research and an optional Supabase/Vercel dashboard.
No data exfiltration — Your resume data never leaves your machine ... No external API calls — Everything runs locally
Treat the local-only claim as applying to the core resume/PDF workflow, and explicitly confirm before enabling salary web research or the dashboard kit.