Skillv1.0.0

ClawScan security

Resume Score for the resume · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 12, 2026, 1:28 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and local scorer code are consistent with a resume-scoring assistant and do not request extra credentials or install external components.
Guidance: This skill appears coherent and self-contained: it scores resumes using local Python code and templates and does not ask for credentials or external installation. Before using it, consider: (1) Only provide resume files you intend the skill to read (it will parse any path you supply). (2) The scoring is keyword/regex-based and may misclassify fields or industry; treat the output as advisory, not definitive. (3) If you need stronger privacy guarantees, review the full scripts (scripts/resume_scorer.py and any remaining JS in assets) to confirm there are no hidden network calls in code portions not shown, or run the scorer in a trusted, offline environment. (4) Don't paste highly sensitive personal data unless you accept the privacy tradeoffs of processing those contents.

Purpose & Capability: okName/description (resume scoring) matches included artifacts: SKILL.md describes scoring logic, references scoring_benchmark.md, provides templates, and the repo contains a local scorer (scripts/resume_scorer.py) and a report UI (assets/index.html). No unrelated credentials, binaries, or platform access are requested.
Instruction Scope: noteRuntime instructions tell the agent to accept pasted text or read a user-supplied file path and parse it to plain text — this is expected for a resume grader. Note: the skill will parse any file the user provides, so only supply files you intend the skill to read; the scoring logic is keyword- and regex-based (may misclassify some resumes).
Install Mechanism: okNo install spec is provided (instruction-only plus local Python script and static HTML). Nothing is downloaded or executed from external URLs in the provided files. This is low-risk for installation behavior.
Credentials: okNo environment variables, credentials, or config paths are required. The skill does not declare or attempt to read external secrets in the provided SKILL.md and shown code imports are standard (re, json, datetime).
Persistence & Privilege: okThe skill is not marked 'always: true' and does not request persistent or platform-wide privileges. It contains only its own local code and static assets and does not modify other skills or global agent settings in the provided artifacts.