← Back to Skills Marketplace

resume-jd-matcher

Name: resume-jd-matcher
Author: sxffly

by sxffly · GitHub ↗ · v2.0.3 · MIT-0

cross-platform ⚠ suspicious

119

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install resume-jd-matcher

Description

批量解析简历并与岗位 JD 进行 AI 智能匹配，生成结构化匹配报告（Excel）

Usage Guidance

This skill appears to implement resume↔JD matching, but proceed cautiously. Key concerns: 1) The repo includes hard-coded API keys and bearer tokens in references/config_resume_match.yaml — treat these as insecure and remove them before use; do NOT assume they are safe or your own. 2) If you enable 'api' mode (or if the skill falls back to the included config), the skill will send full resume text (sensitive personal data) to external third-party endpoints — verify which endpoint and credential will actually be used. 3) main.py expects an import path (resume_match_v2.0.2.py) that isn't in the package — this mismatch could cause failures or unexpected behavior; inspect/repair the entrypoint before running. 4) The skill writes parsed resume JSON files to disk (parsed/ folder) — ensure your environment is secure and permitted to store those files. Recommended actions before installing/running: a) Inspect and remove any embedded api_key values from config files; b) Create/verify a config_resume_match.yaml that uses only your approved endpoints/keys or uses 'subagent' mode; c) Run in a safe test environment with non-sensitive sample resumes; d) Consider disabling API mode or running offline if you cannot verify the third‑party providers; e) Fix the inconsistent import/path references (or run the provided scripts directly) and confirm expected behavior. If you want, I can point to the exact lines/files containing embedded keys and the dynamic import for quick remediation.

Capability Analysis

Type: OpenClaw Skill Name: resume-jd-matcher Version: 2.0.3 The skill bundle contains multiple hardcoded, high-privilege AI service API keys and Bearer tokens (Tencent, Alibaba, and CMHK) within 'references/config_resume_match.yaml', which is a severe security vulnerability. Additionally, 'main.py' uses dynamic module loading via 'importlib.util' from hardcoded absolute paths (C:\Users\Administrator\...), and the scripts rely on broad file system access to specific directories. While the logic appears to serve the stated purpose of resume matching and lacks clear evidence of intentional data exfiltration or backdoors, the credential exposure and fragile execution patterns pose a significant security risk.

Capability Assessment

ℹ Purpose & Capability

Name/description (resume ↔ JD matching) aligns with the code: scripts parse .docx/.pdf, create tasks, call subagents or external APIs, and produce Excel output. However there are mismatches: main.py dynamically imports a file at C:\Users\Administrator\.openclaw\workspace\resume_match_v2.0.2.py which is not present in the package (the repo has scripts/resume_match.py). Config/example files use different default paths (D:\ vs C:\) across SKILL.md, README, and _meta.json. These inconsistent paths/import targets make runtime behavior unclear and could cause failures or unexpected fallbacks.

⚠ Instruction Scope

SKILL.md and code intentionally read local resume/JD files and write outputs including parsed JSON copies of each resume into a parsed/ folder — expected for the feature but means full resume text is persisted to disk. In 'api' mode the skill will send entire resume text to configured external endpoints. The SKILL.md claims subagent mode needs no API keys, but the code and config support an 'api' mode that will transmit potentially sensitive resume content to third‑party APIs. The instructions and code do not request unrelated system files, but they do write parsed personal data to disk and may call external services if API mode is enabled.

✓ Install Mechanism

There is no separate install spec or remote download — risk from installation mechanism is low. The skill is provided as code files (no arbitrary archive downloads).

⚠ Credentials

Registry metadata declares no required environment variables or primary credential, but the included references/config_resume_match.yaml contains multiple hard-coded API keys and bearer tokens for various providers (e.g., entries under 'api_providers' with api_key values). Embedding third‑party API keys in the repository is a red flag: (1) those keys may be stale/leaked credentials belonging to someone else, (2) the skill can be switched into 'api' mode and will send full resume contents to external endpoints using those credentials. The skill's declared permissions (sessions_spawn, subagents, sessions_history) are appropriate for subagent operation, but the presence of embedded secrets is disproportionate to the stated 'no env needed' claim and increases data‑exfiltration risk.

✓ Persistence & Privilege

always is false and the skill does not request permanent platform-wide privileges. It does require OpenClaw subagent-related permissions (sessions_spawn, subagents, sessions_history) which are consistent with its design to spawn child agents. The skill does not appear to modify other skills or system-wide settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install resume-jd-matcher
After installation, invoke the skill by name or use /resume-jd-matcher
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.0.3

Resume-JD-Matcher 2.0.3: Major upgrade with dual-mode support and efficiency improvements - Added dual working modes: "subagent" (for OpenClaw) and "api" (standalone script with AI API). - Now supports batch parsing of resumes and job descriptions, with AI-powered structure matching and Excel report generation. - Improved performance: supports concurrent processing, configurable parallelism (default 3), and incremental processing (skip already-matched resumes). - Enhanced configuration flexibility: detailed YAML-based setup for paths, API, logging, and advanced parameters. - Output now includes structured Excel reports with both detailed analysis and summary sheets. - Updated documentation with workflows, directory structure requirements, mode comparison, troubleshooting, and dependency lists.

Metadata

Slug resume-jd-matcher

Version 2.0.3

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is resume-jd-matcher?

批量解析简历并与岗位 JD 进行 AI 智能匹配，生成结构化匹配报告（Excel）. It is an AI Agent Skill for Claude Code / OpenClaw, with 119 downloads so far.

How do I install resume-jd-matcher?

Run "/install resume-jd-matcher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is resume-jd-matcher free?

Yes, resume-jd-matcher is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does resume-jd-matcher support?

resume-jd-matcher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created resume-jd-matcher?

It is built and maintained by sxffly (@sxffly); the current version is v2.0.3.

More Skills