Back to skill
Skillv1.0.0
ClawScan security
Resume Tailor — JD-Matched Resume & Cover Letter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 1:28 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested access and runtime instructions are consistent with a resume/cover-letter tailoring tool and do not ask for unrelated credentials, installs, or system access.
- Guidance
- This skill appears coherent and limited to resume/JD text processing. Before using it: (1) Remove or redact highly sensitive personal data (SSN/national ID, passport number, bank details); resumes often contain DOB, home address, or photos — include only what’s needed for the application. (2) Avoid pasting proprietary/confidential employer data or full private project artifacts. (3) Review the output carefully to ensure nothing was fabricated and all metrics/claims are accurate. (4) Note the skill's source is unknown; if you want stronger assurance, prefer skills from a known publisher or inspect the source/approval history. Finally, remember the platform may handle uploaded files — check platform privacy/storage policies if you’re uploading attachments.
Review Dimensions
- Purpose & Capability
- okName/description (tailoring resumes + cover letters) match the skill's contents: the SKILL.md and reference docs focus on JD parsing, keyword matching, formatting, and writing. There are no declared env vars, binaries, or install steps that are extraneous to this purpose.
- Instruction Scope
- noteInstructions stay within the domain: request resume and JD text/files, extract keywords, rewrite resume and a cover letter, and produce gap analysis and tips. Note: the skill expects uploaded files (.docx, .pdf, .txt) and to 'parse' them — as an instruction-only skill there is no code shown for parsing, so actual file handling depends on the platform agent. The SKILL.md explicitly forbids fabrication and limits actions to user-provided content.
- Install Mechanism
- okNo install spec, no code files to run, and no external downloads. This is instruction-only, which minimizes on-disk/executable risk.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or platform tokens.
- Persistence & Privilege
- okalways is false and there are no indications the skill requests persistent system-wide privileges or modifies other skills. The default ability for the agent to invoke the skill autonomously is set to platform defaults (disable-model-invocation: false), which is normal.