Skillv1.0.6

ClawScan security

Resume Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 14, 2026, 4:18 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only resume/CV prompt-pack whose requested artifacts, instructions, and scope align with its stated purpose — nothing required is disproportionate or unexplained.
Guidance: This skill is an instruction-only prompt pack for improving and exporting resumes and appears internally consistent. Before installing: (1) remember it operates on any resume text you paste — avoid supplying sensitive personal identifiers (SSN, passport numbers, bank details) in resumes you submit; (2) the export docs reference command-line tools (pandoc, wkhtmltopdf, xelatex). If your agent can execute system commands, ensure such execution is sandboxed or disabled if you don't want automatic binary calls; (3) provenance is limited (source/homepage not provided) — if you need higher assurance, inspect the prompts/templates (they're included) to confirm no hidden data forwarding or undesired instructions; (4) the project is MIT-licensed and contains only human-readable prompts/templates, so risk is low but always treat user-supplied PII carefully.
Findings: [no_code_files_to_scan] expected: The static regex scanner had no code to analyze because this is an instruction-only skill composed of prompt and template files; absence of findings is expected but not a proof of safety.

Purpose & Capability: okThe name/description (resume polishing, tailoring, scoring, exporting) matches the contained files (prompts, templates, examples). There are no unexpected credentials, binaries, or config paths declared.
Instruction Scope: noteSKILL.md and the prompts instruct the agent to load local prompt files, analyze pasted resumes and job descriptions, produce rewritten resumes and export artifacts. This stays within the stated purpose. Note: export.md documents commands and conversion tools (pandoc, wkhtmltopdf, xelatex, weasyprint) as conversion options — these are usage recommendations, not required environment variables, but an agent with ability to run system commands could try to execute them. There is no instruction to read unrelated system files or exfiltrate data.
Install Mechanism: okNo install spec or downloadable code is present — instruction-only. Nothing will be written to disk by an installer as part of skill installation.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The prompts operate on user-provided resume text and job descriptions only, which is proportionate to the stated functionality.
Persistence & Privilege: okalways is false and the skill is user-invocable/default-autonomous invocation permitted. It does not request permanent system presence or modify other skills/config; this is appropriate for an instruction-only prompt package.