ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Frontend Cv

v1.0.1

Create professional HTML/PDF resumes from any input format (md/pdf/word/txt). Extracts resume data, converts to structured YAML, generates styled HTML with m...

0· 115·0 current·0 all-time
byVint@vintlin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the included scripts: extract_resume.py (PDF/DOCX/TXT/MD extraction) and render_html.py (YAML → themed HTML). This is coherent for a resume renderer. However the SKILL.md and README claim 'Zero Dependencies' and 'single HTML files', while the README and scripts require Python libraries (pypdf/python-docx/yaml) — an internal inconsistency in the stated zero-deps principle vs actual runtime needs.
Instruction Scope
Runtime instructions are scoped to extracting text, converting to structured YAML, generating themed HTML previews, and exporting to PDF. That's within the stated purpose. A notable instruction is to save previews under .claude-design/cv-previews/ and 'open each preview automatically' — the skill writes files to the user's home area (persistent data) and may attempt to open previews, which is reasonable for this tool but should be understood by users. No instructions direct the agent to read unrelated system files or environment variables.
Install Mechanism
There is no install spec (instruction-only), so nothing will be fetched automatically by an installer. The package includes local Python scripts which will run on the host. The README asks users to pip-install dependencies (PyPDF2, python-docx, pyyaml, jinja2) but the extract script refers to 'pypdf' and 'docx' modules and render_html imports 'yaml' (yaml.safe_load). These mismatches between documented package names and actual imports are an operational inconsistency (not necessarily malicious) and could cause runtime failure if not corrected.
Credentials
The skill does not request environment variables or credentials — appropriate for this purpose. The only external references are font links (Google Fonts/Fontshare) embedded in the theme YAML files; generated HTML will include those external font URLs, which means opening the HTML may cause the browser to fetch resources from Google/Fontshare. That is expected for web-font usage but is an external network interaction to be aware of.
Persistence & Privilege
always is false and there are no special privileges. The skill will write generated previews and outputs to disk (SKILL.md specifies .claude-design/cv-previews/ and scripts write output files such as resume_data.yaml and resume.html). This is appropriate for a generator, but the skill did not declare config paths in metadata despite referencing and creating a dot-directory in the user's home — users should be aware files will be written.
What to consider before installing
This skill is mostly coherent with its advertised purpose (local resume extraction and HTML/PDF rendering), but review these before installing/using: 1) Dependencies: the README lists different package names than the scripts import (README: PyPDF2; code expects pypdf; README lists jinja2 but render_html.py doesn't import jinja2). Verify and install the correct Python packages in a virtual environment (or inspect/fix imports). 2) Files written: the skill will create preview/output files (it references ~/.claude-design/cv-previews/); confirm you’re comfortable with files being written to your home directory. 3) External resources: theme YAMLs include Google Fonts links — opening the generated HTML will cause your browser to fetch fonts from external servers. If you want fully offline HTML, remove or inline fonts. 4) Inspect the scripts: because these are local Python scripts included with the skill, review render_html.py and extract_resume.py yourself (or run them in an isolated environment) to ensure they do only what you expect. 5) Sensitive data: resumes contain personal data — handle input files and the generated YAML/HTML/PDFs accordingly and avoid uploading them to unknown endpoints. If you want higher assurance, run the scripts in a disposable VM or container and confirm network activity when rendering and previewing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767k2pksstgttjkzx6722g75834wgh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments