AI产品经理简历维护
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-pm-resume-hub Version: 1.0.0 The skill bundle is a legitimate tool for managing AI Product Manager resumes, providing automated workflows for extracting resume points from logs and generating PDF/HTML exports. The Python scripts (export_pdf.py and render_dashboard.py) perform standard file I/O and document rendering within the designated workspace directory (~/.openclaw/workspace/career/ai-pm-campus/). No evidence of data exfiltration, malicious command execution, or harmful prompt injection was found; the code logic and agent instructions are strictly aligned with the stated purpose of resume maintenance.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted résumé, worklog, or points-pool entry could run JavaScript when the local dashboard is opened or used during PDF export, potentially changing the preview or sending résumé contents elsewhere.
Gap text is extracted from local Markdown inputs and inserted into the generated dashboard using innerHTML without escaping or DOMPurify sanitization for that field.
container.innerHTML = gaps.map(gap => `... <span class="text-gray-700">${gap}</span> ...`).join('');Render all user-derived values with textContent or explicit HTML escaping, sanitize every innerHTML insertion, and safely escape JSON embedded inside script tags.
If a CDN asset changes or is compromised, third-party code could run in the résumé dashboard and access the displayed personal data.
The generated local dashboard loads third-party JavaScript from CDNs at runtime, including unpinned or integrity-unverified assets, while displaying personal résumé content.
<script src="https://cdn.tailwindcss.com"></script> ... <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script> ... <script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
Bundle vetted local copies of the libraries or pin exact versions with Subresource Integrity, and clearly disclose that opening the dashboard requires loading third-party scripts.
Personal résumé details, work logs, project labels, and gap analyses will remain on disk for later reuse.
The skill intentionally maintains a persistent local résumé/worklog/points repository across runs.
默认根目录:`career/ai-pm-campus/` ... `inputs/worklog/` ... `inputs/points-pool/master-points.md` ... `outputs/resume-onepage.md` ... 输出必须落盘写文件
Keep the workspace private, avoid storing unnecessary sensitive details, and review or delete generated files before sharing or syncing the directory.