ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Recruiter Assistant

v1.4.2

A professional recruitment workflow assistant. Evaluates resumes against dynamic requirements and AI proficiency, provides critical Pros/Cons analysis, and p...

0· 733·6 current·6 all-time
by@gakkiismywife
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (resume screening, salary benchmarking, Feishu report generation) align with the included scripts and reference files. However, the runtime expects agent-side tools (feishu_doc, message) and an external binary (pdftotext) even though the skill's metadata declares no required binaries or credentials. Those runtime dependencies should be declared or justified.
!
Instruction Scope
The scripts and SKILL.md instruct the agent to read full resume contents, print them to stdout, generate Feishu docs, and present public Feishu links directly in chat. Printing full resume text and instructing creation/publication of documents with candidate PII is a high privacy risk. The instructions also tell the agent to call the feishu_doc tool and to send HR notifications via a 'message' tool — these external transmissions of candidate data are not constrained or qualified in the documentation.
Install Mechanism
There is no install spec (instruction-only), which minimizes installation risk. But the scripts call the pdftotext binary and rely on a Node runtime; pdftotext is not declared in required binaries, so a missing dependency or hidden requirement exists. No network download/install steps are present.
!
Credentials
The skill declares no required environment variables or credentials, yet the runtime instructions explicitly direct calling a feishu_doc tool (and mention a docToken in one script). That implies the need for Feishu authentication or agent tool permissions that are not declared. The skill therefore asks (via behavior) for access to external services and candidate data without documenting what credentials or scopes will be used — disproportionate given the sensitivity of PII.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It does read and write temporary files (e.g., /tmp) and generates per-candidate documents, which are reasonable for its purpose.
What to consider before installing
This skill appears to do what its name says, but proceed cautiously. Key points to check before installing or running: 1) pdftotext is required by the scripts but not declared — install and test it separately. 2) The scripts print entire resume contents to stdout and instruct the agent to create and publish Feishu documents and to post summaries to HR; this will transmit candidate PII to external services. Confirm where Feishu docs are stored, who can access public links, and what authentication/scopes the feishu_doc and message tools use. 3) There are no declared credentials or env vars for Feishu; verify how authentication is handled by your agent runtime and limit permissions/scopes. 4) If you will process real candidate data, run the skill in an isolated environment (or with sanitized/test resumes) until you confirm behavior and storage/privacy controls. 5) Consider asking the publisher to: declare pdftotext as a required binary, document required tool permissions, avoid printing raw resumes to logs, and add explicit guidance or opt-in for publishing public links. If any of these are unacceptable for your privacy/security posture, do not use the skill with real candidate data.

Like a lobster shell, security has layers — review code before you run it.

automationvk97anex088rx4tt83sxt2mm60d81rsj3golangvk97anex088rx4tt83sxt2mm60d81rsj3hrvk97anex088rx4tt83sxt2mm60d81rsj3latestvk971122tpahvxk6tmvsdm73p8d81wj1nphpvk97anex088rx4tt83sxt2mm60d81rsj3recruitmentvk97anex088rx4tt83sxt2mm60d81rsj3
733downloads
0stars
12versions
Updated 5h ago
v1.4.2
MIT-0
@gakkiismywife
automationgolanghrlatestphprecruitment
Download

Recruiter Assistant 🦞

This skill implements a high-bar recruitment workflow for technical hiring, specifically optimized for the Shenzhen market.

Workflows

1. Rigorous Resume Screening

Evaluate a candidate with a critical lens.

  • Single: node scripts/screen_resume.js <path_to_resume> --lang <language> --yoe <years_of_experience>
  • Batch: node scripts/batch_screen.js <folder_path> --threshold <score> --lang <language> --yoe <years_of_experience>
  • Output Requirements:
    1. Strict Scoring: Adheres to the 0-100 rubric in references/hiring-criteria.md. High standards for "Senior" roles (must show architectural impact and expert AI usage).
    2. Detailed Analysis: Explicitly lists at least 3-4 hard technical strengths and significant weaknesses/gaps.
    3. Separate Reporting: Each candidate evaluation must be saved/written to its own document.
    4. Salary Benchmark: Compares the candidate's expected salary against Shenzhen market rates (Boss Zhipin 2026).
    5. HR Notification: High-scoring candidates (>= threshold) should be summarized and sent to HR via the message tool.

2. AI Proficiency Evaluation

Mandatory check for AI tool usage (Cursor, Copilot, LLM APIs). Lack of AI usage is considered a significant productivity gap.

3. Interview Preparation & Summary

  • Questions: node scripts/generate_questions.js <input_json> (Focuses on the identified "Cons").
  • Summarization: node scripts/summarize_interview.js <notes_file> (Uses the template in assets/report-template.md).

Market Benchmark (Shenzhen 2026)

Refer to references/hiring-criteria.md for the latest salary data and scoring rubrics.

Core Principles

  • Critical Lens: Do not give high scores easily. High seniority requires evidence of architectural impact.
  • Data-Driven: Benchmarks must align with the current Shenzhen tech market.
  • AI-Forward: Efficiency through AI is a core requirement for a modern senior engineer.

Comments

Loading comments...