hr-recruiting-tracker
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for HR resume processing, but it handles sensitive candidate data and can write it to Tencent Docs when invoked.
Before installing, confirm you intend to process confidential resumes with this skill. Use dry-run mode first, review candidate drafts before upload, pass an explicit Tencent Docs file ID for production use, verify the external `tencent-docs` and `mcporter` dependencies, and store generated resume bundles only in approved private locations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Candidate contact details could be added to Tencent Docs; if the target sheet is ambiguous, data may be written to an unintended same-named sheet.
The workflow can write sensitive candidate records to an online SmartSheet and may default to the first matching sheet title if duplicates exist. This is disclosed and purpose-aligned, but it is a high-impact write path.
候选人姓名、电话、邮箱会直接写入腾讯文档在线表格 ... 如果找到多个同名 `HR候选人库`,使用搜索结果中的第一个
Use `--dry-run` first, confirm HR authorization, and pass an explicit `--file-id` or `--space-id` for production uploads.
If the Tencent Docs token or MCP configuration has broad access, uploads and table changes occur under that account's authority.
The Tencent Docs workflows operate through delegated Tencent Docs authorization. This is expected for uploading and maintaining SmartSheets, but it means the skill acts with the user's document-account permissions.
TENCENT_DOCS_TOKEN ... sensitive: true ... 腾讯文档上传和岗位库维护需要 ... 已授权的 `tencent-docs` skill
Use the least-privileged Tencent Docs account or workspace practical, keep tokens private, and revoke or rotate access when no longer needed.
Candidate PII and resume contents remain on disk after processing and could be exposed through backups, shared folders, or later agent context use.
The resume-ingestion workflow persists original resumes, extracted text, raw JSON, and candidate drafts locally. This is central to the skill's purpose, but it creates stored sensitive HR data.
resume_bundle/ ... original.<ext> ... resume.md ... resume.raw.json ... candidate_draft.json ... 将每个生成的简历包都视为机密招聘数据
Write bundles only to approved private directories, avoid shared/synced folders unless intended, and delete or archive bundles according to HR retention policy.
A compromised or wrong external dependency could affect Tencent Docs authorization or document operations.
The upload workflow depends on external CLI tooling and a separately installed `tencent-docs` skill, including an optional setup script for authorization troubleshooting. The documentation tells users to use an installed and reviewed skill, but provenance still matters.
npm install -g mcporter ... openclaw skills install tencent-docs ... bash "$TENCENT_DOCS_SKILL_DIR/setup.sh" tdoc_check_and_start_auth
Install `mcporter` and `tencent-docs` only from trusted sources, review the `tencent-docs` skill before running its setup script, and prefer pinned or approved versions in managed environments.