ClawHub

Digital Identity, CV & Resume Creator

v5.2.4

Create a free digital identity, professional resume and CV — from classic PDF and HTML layouts to 3D worlds and playable games. Permanent public URL with own...

4· 2.7k·3 current·3 all-time
by@rotorstar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (CV & resume creator) match the SKILL.md and reference docs. The only credential mentioned is an optional Access-ID used for higher rate limits and webhook HMAC signing, which is expected for a service offering callback webhooks and agent registration.
Instruction Scope
The SKILL.md limits agent actions to HTTP calls to talent.de, polling, SSE, or callbacks and explicitly instructs agents to only use user-provided data. It does not request reading local files, secrets, or unrelated system state. It does require the agent to present review URLs and handle polling/callbacks (including verifying HMAC signatures) — all of which are coherent with a HITL CV creation workflow.
Install Mechanism
This is an instruction-only skill with no install spec and no third-party downloads. No code is written to disk. Low installation risk.
Credentials
No required environment variables; one optional environment variable (TALENT_ACCESS_ID) is declared and used only as an Access-ID/HMAC secret for callbacks and rate-limited features. That is proportional to the stated functionality. The docs also advise storing it as an env var and not hardcoding it.
Persistence & Privilege
Skill is not forced always-on (always: false) and does not request system-wide config changes. Autonomous invocation is allowed (default) but this is normal for skills; nothing indicates it modifies other skills or global agent settings.
Assessment
This skill appears coherent and limited to calls to talent.de. Before installing, consider: (1) the source is listed as unknown — confirm you trust the publisher and the talent.de homepage; (2) claim_tokens never expire and grant ownership if leaked—treat them like passwords and only share with the user; (3) if you supply a hitl_callback_url your agent must expose a public HTTPS endpoint and verify X-HITL-Signature using the Access-ID; protect that endpoint and the Access-ID; (4) rate limits: without an Access-ID you get 3 CVs/day per IP — shared servers may hit this unexpectedly; (5) avoid including sensitive identifiers (SSNs, private keys, financial data) in CVs as the docs explicitly forbid them. If you need stronger assurance about provenance, ask the publisher for source code or a canonical integration listing from talent.de.

Like a lobster shell, security has layers — review code before you run it.

3d-templatesvk97904bgnj50pvk7jnyhn476s1817q6vanimatedvk97904bgnj50pvk7jnyhn476s1817q6vcareervk97904bgnj50pvk7jnyhn476s1817q6vcvvk97904bgnj50pvk7jnyhn476s1817q6vdigital-identityvk97904bgnj50pvk7jnyhn476s1817q6vfree-apivk97904bgnj50pvk7jnyhn476s1817q6vgamifiedvk97904bgnj50pvk7jnyhn476s1817q6vlatestvk97ez55j74aeb5ykx16bd279kd8248eeopen-accessvk97904bgnj50pvk7jnyhn476s1817q6vpersonal-urlvk97904bgnj50pvk7jnyhn476s1817q6vresumevk97904bgnj50pvk7jnyhn476s1817q6v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📄 Clawdis

Comments