← Back to Skills Marketplace
Recruiter Assistant (Shenzhen)
by
gakkiismywife
· GitHub ↗
· v1.0.0
496
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install recruiter-assistant-sz
Description
A professional recruitment workflow assistant. Evaluates resumes against dynamic requirements and AI proficiency, provides critical Pros/Cons analysis, and p...
Usage Guidance
This skill mostly does what its description says, but don’t install it blindly. Before using: (1) Confirm and declare required binaries (pdftotext) in metadata and ensure they come from trusted packages. (2) Treat all candidate files as sensitive PII — run in a sandbox and limit where output can go. (3) Fix or audit shell calls: the scripts concatenate user-controlled filenames into execSync; sanitize or use spawn with argument arrays to avoid command injection. (4) Clarify external integrations: the README asks agents to send messages to HR and process_incoming accepts a docToken, but no credentials or message-call code are provided—decide how messaging/auth is handled and add required env vars. (5) Test with synthetic resumes first. If you are not able to validate or fix the above, consider this skill suspicious and avoid running it on real candidate data.
Capability Analysis
Type: OpenClaw Skill
Name: recruiter-assistant-sz
Version: 1.0.0
The skill bundle contains multiple shell injection vulnerabilities in `scripts/batch_screen.js` and `scripts/process_incoming.js` due to the use of `child_process.execSync` with unsanitized user-controlled input, potentially leading to Remote Code Execution. Additionally, `scripts/generate_questions.js`, `scripts/screen_resume.js`, and `scripts/summarize_interview.js` are vulnerable to path traversal via `fs.readFileSync` with user-provided file paths. While there is no evidence of intentional malice, these critical vulnerabilities could be exploited to compromise the system.
Capability Assessment
Purpose & Capability
Overall purpose (resume screening, question generation, interview summarization, Shenzhen salary benchmarking) matches the included scripts and reference data. However the metadata declares no required binaries while the scripts call an external tool (pdftotext) — an inconsistency between declared requirements and actual behavior.
Instruction Scope
Runtime instructions and scripts print full resume contents to stdout for the agent to evaluate (potentially exposing sensitive PII). Multiple scripts build shell commands by concatenating unescaped filenames into execSync calls (pdftotext and node invocations), creating command-injection risk if file names or inputs are attacker-controlled. SKILL.md expects sending summaries to HR via a 'message' tool, but code does not implement that; process_incoming.js accepts a docToken parameter that is never used—this suggests incomplete integration and unclear handling of credentials/tokens.
Install Mechanism
No install spec (instruction-only) — low install risk. But the scripts rely on an external binary 'pdftotext' which is not declared under required binaries; the lack of declared dependency is an incoherence the integrator must fix.
Credentials
No environment variables or credentials are declared, which aligns with instruction-only operation. However process_incoming.js accepts a docToken argument (unused) and SKILL.md expects use of a 'message' tool for HR notification—these imply external integration/credentials that are not declared or explained.
Persistence & Privilege
The skill is not always-enabled and requests no persistent privileges or system-wide configuration changes. It does read/write temporary files (e.g., /tmp/*.txt) and writes per-candidate output documents, which is expected for its purpose.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install recruiter-assistant-sz - After installation, invoke the skill by name or use
/recruiter-assistant-sz - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Shenzhen-optimized recruiter assistant.
Metadata
Frequently Asked Questions
What is Recruiter Assistant (Shenzhen)?
A professional recruitment workflow assistant. Evaluates resumes against dynamic requirements and AI proficiency, provides critical Pros/Cons analysis, and p... It is an AI Agent Skill for Claude Code / OpenClaw, with 496 downloads so far.
How do I install Recruiter Assistant (Shenzhen)?
Run "/install recruiter-assistant-sz" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Recruiter Assistant (Shenzhen) free?
Yes, Recruiter Assistant (Shenzhen) is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Recruiter Assistant (Shenzhen) support?
Recruiter Assistant (Shenzhen) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Recruiter Assistant (Shenzhen)?
It is built and maintained by gakkiismywife (@gakkiismywife); the current version is v1.0.0.
More Skills