AI Interview
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it says, but it uploads sensitive resume files to Fuku.ai using shared anonymous access and appears to request long remote file retention without clear user control.
Install only if you are comfortable sending the selected resumes and report email to Fuku.ai's public service. Before running it, verify the folder contents, avoid sensitive or unauthorized resumes, review Fuku.ai's privacy and retention terms, and consider asking the author to document the upload retention parameter.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Resume files may remain available to the third-party service for much longer than a user expects.
Each selected resume is uploaded to the external Fuku.ai endpoint, and the additional 'hour' parameter is set to 9600. That appears to control remote file lifetime or availability, but the user-facing instructions do not clearly explain or let the user choose this value.
form.append("file", fs.createReadStream(filePath));
form.append("hour", 24 * 400);
const response = await axios.post(UPLOAD_URL, form, {Use only resumes you are allowed to share externally, review Fuku.ai's privacy/retention terms first, and ask the skill author to document or make the upload-retention setting configurable.
If the wrong folder is provided, multiple private documents could be sent to Fuku.ai.
The script batch-processes every allowed document in the supplied folder, up to the 100-file limit. This is expected for the skill, but a mistaken folder selection could upload unintended resumes.
const resumeFiles = listResumeFiles(folder);
const uploads = [];
for (const filePath of resumeFiles) {Confirm the exact folder contents before running the script, and keep only the intended resume files in that folder.
Jobs are created through shared service identifiers rather than a private user account.
The service access is via shared anonymous identifiers rather than a user-specific account. This is clearly disclosed and purpose-aligned, but it means users may not get account-level audit, deletion, or access controls.
This skill uses **shared anonymous credentials** provided by Fuku.ai for public access
Use this only if anonymous shared access is acceptable for your hiring/interview workflow.
Dependency versions may vary across installs.
The helper script depends on npm packages specified with caret ranges, so npm may install newer compatible versions. This is common and purpose-aligned, but not fully pinned.
"dependencies": {
"axios": "^1.13.5",
"form-data": "^4.0.5"
}Install in a controlled environment and consider using a lockfile or pinned dependency versions for repeatable behavior.
Basic interview-job history can remain on disk after use.
The package includes a persisted job metadata file, and run.js writes similar records for future jobs. The stored data is minimal, but it can still reveal company/title/job activity.
"jobId": "df7c879fb9f4472ca75689969148fef3", "company": "FUKU", "title": "CTO"
Delete files under jobs/ if company names, titles, or job IDs should not be retained locally.