Back to skill
Skillv1.0.0
ClawScan security
Resume Tailor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 6:09 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with its stated purpose (calling a local material-generation API to generate/review/export resumes), but it depends on a localhost service of unknown provenance so you should verify that service before use.
- Guidance
- This skill simply instructs the agent to talk to a service on localhost:8010 to generate/review/export resumes. That is coherent, but before installing: (1) confirm you have and trust the local service running on port 8010 (unknown source/homepage); (2) be aware the skill will return file paths/URLs which could reveal local filesystem locations; (3) the skill will make HTTP POST requests to localhost — ensure those endpoints do only what you expect and don't handle sensitive credentials you don't want transmitted; (4) test in a safe environment first. If you don't run or trust a local service at 127.0.0.1:8010, do not enable the skill.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the skill calls endpoints to generate, review, and export application materials. No unrelated env vars, binaries, or installs are requested.
- Instruction Scope
- noteSKILL.md is narrowly scoped to POST calls to http://127.0.0.1:8010/api/... and to prompt the user for approve/reject. This is appropriate for a resume-material workflow, but it assumes a local service is running and asks the agent to return file paths/URLs (which may expose local filesystem paths).
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes written-to-disk risk.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths, which is proportionate for the stated functionality.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or permanent presence. Autonomous invocation is permitted (platform default) but not unusual here.