← Back to Skills Marketplace
Placed Resume Builder
by
Ajit Singh
· GitHub ↗
· v1.1.0
· MIT-0
294
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install placed-resume-builder
Description
This skill should be used when the user wants to "build a resume", "create a resume", "update my resume", "export resume as PDF", "change resume template", "...
Usage Guidance
What to know and steps before installing:
- Inconsistency to fix: the registry metadata says no env vars/config paths, but SKILL.md reads and writes PLACED_API_KEY and ~/.config/placed/credentials. Ask the publisher to correct metadata so the required secret and config path are explicit.
- Credential persistence: the skill instructs saving your API key in plaintext as an 'export' line in ~/.config/placed/credentials. If you install/use this skill, do NOT paste a high-privilege or long-lived key unless you trust the site. Prefer creating a limited-scope or revocable API key for this purpose.
- Safer alternatives: instead of allowing automatic file write, consider setting PLACED_API_KEY in your environment/session yourself or use a system keyring/secret manager. If the skill must save a file, ensure the file permissions are restrictive (chmod 600) and the directory is private.
- Verify the service: confirm you trust https://placed.exidian.tech (TLS certificate, privacy policy, and account settings). The curl endpoint used is https://placed.exidian.tech/api/mcp — check network traffic or logs if you need to audit what is sent.
- Minimal exposure: if you proceed, create a dedicated API key with the least privileges required and be prepared to revoke it if you stop using the skill or if you detect misuse.
- Ask for clarification: request that the publisher explicitly declare requires.env: PLACED_API_KEY and required config path ~/.config/placed/credentials in the skill metadata and explain why they persist the key and whether encryption/permission guidance is provided.
Overall: the skill appears to do what it says, but the undocumented handling and plaintext persistence of your API key is why this is 'suspicious' rather than 'benign.'
Capability Analysis
Type: OpenClaw Skill
Name: placed-resume-builder
Version: 1.1.0
The skill `placed-resume-builder` contains a shell injection vulnerability in the `placed_call` function and an unsafe `source` command in `SKILL.md`. The `placed_call` function embeds unsanitized arguments directly into a `curl` command string, which could allow for arbitrary command execution. Additionally, the credential management logic uses `source` on a configuration file that is populated with user-provided input, creating another vector for command injection. While the skill's purpose of managing resumes via `https://placed.exidian.tech` appears legitimate, these high-risk vulnerabilities warrant a suspicious classification.
Capability Assessment
Purpose & Capability
The SKILL.md clearly describes a resume-building integration with placed.exidian.tech and the curl API calls align with that purpose. However, registry metadata claims no required env vars or config paths while the instructions depend on PLACED_API_KEY and the ~/.config/placed/credentials file — this mismatch is unexplained and inconsistent.
Instruction Scope
Runtime instructions require sourcing and writing ~/.config/placed/credentials, prompting the user for an API key if missing, and then persistently saving that key as an export line in a file. Apart from calling the placed API (curl) and minimal local file I/O for credentials, there is no other I/O — but the directive to write credentials in plaintext is a scope/behavior the registry did not declare.
Install Mechanism
This is an instruction-only skill with no install steps and no code files to fetch or execute. That minimizes installation risk.
Credentials
Functionally the skill needs exactly one secret (PLACED_API_KEY) for the Placed API, which is proportionate. But the package metadata did not declare this primary credential or the config path; additionally, the skill instructs storing the secret unencrypted in ~/.config/placed/credentials, which is a security concern and should have been declared.
Persistence & Privilege
The skill does not request elevated platform privileges or always: true. It does instruct persistent storage of the user's API key under ~/.config/placed/credentials (creates directory and writes an 'export' line), which is normal for convenience but increases attack surface if the file is world-readable or the key is reused elsewhere.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install placed-resume-builder - After installation, invoke the skill by name or use
/placed-resume-builder - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Added rich search tags for better discoverability
v1.0.2
Updated skill structure with references and Claude Code plugin support
v1.0.1
Refactored: proper ClawHub skill format with frontmatter, references/api-guide.md, and trigger phrases
v1.0.0
Initial release — build and manage resumes with AI via placed.exidian.tech
Metadata
Frequently Asked Questions
What is Placed Resume Builder?
This skill should be used when the user wants to "build a resume", "create a resume", "update my resume", "export resume as PDF", "change resume template", "... It is an AI Agent Skill for Claude Code / OpenClaw, with 294 downloads so far.
How do I install Placed Resume Builder?
Run "/install placed-resume-builder" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Placed Resume Builder free?
Yes, Placed Resume Builder is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Placed Resume Builder support?
Placed Resume Builder is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Placed Resume Builder?
It is built and maintained by Ajit Singh (@ajitsingh25); the current version is v1.1.0.
More Skills