Digital Identity, CV & Resume Creator
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only CV skill is coherent and transparent, but it sends personal resume data to Talent.de and can publish a persistent public CV URL, so users should review details before approving.
Install only if you are comfortable sending the provided resume details to Talent.de and creating a public CV URL. Keep human review enabled, avoid including government IDs, passwords, financial details, or confidential business information, and protect both the claim token and any optional Access-ID.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could create and publish a CV through the service; with HITL enabled, the user gets chances to review slug, template, and final content.
The skill can call an external API to create a CV, including a direct creation path, but it clearly instructs human review for normal interactive use.
If a human is present, ALWAYS use `"prefer_hitl": true` ... Use `"skip_hitl": true` only for automated pipelines with no human in the loop.
Use `prefer_hitl` for user-facing CV creation, review the summary and final draft, and avoid `skip_hitl` unless the workflow is intentionally automated.
If the Access-ID is exposed, others may abuse the agent's Talent.de quota or interfere with callback verification.
The optional Access-ID is a sensitive credential used for higher limits and callback verification.
The Access-ID is also the HMAC secret for verifying `X-HITL-Signature` on callback webhooks. Store in `TALENT_ACCESS_ID` — do not hardcode.
Use basic mode without an Access-ID unless needed, store the Access-ID only as a secret environment variable, and rotate it if exposed.
Resume details entered during review may be transmitted through webhook callbacks if that feature is enabled.
The optional callback webhook can carry personal CV data to an agent endpoint, and the artifact documents HTTPS and signature-verification requirements.
Payloads may include user-entered data from `input` steps — treat as PII ... **Always verify** the `X-HITL-Signature` header
Only use HTTPS callback endpoints, verify signatures before trusting callback data, and do not forward callback payloads without user consent.
A leaked claim token could let someone else claim ownership of the CV, and incorrect public CV data may persist until the owner requests changes or deletion.
The created CV has a long-lived ownership token, so accidental sharing or incorrect publication can have lasting effects.
Anyone with the token can claim CV ownership ... Tokens never expire
Keep claim tokens private, omit sensitive identifiers from CV content, verify all data before publication, and use the documented deletion process if needed.