HireMe Pro

Job hunting is stressful enough without paying $24/month just to format a resume. HireMe Pro builds beautiful, ATS-friendly PDF resumes from your experience,...

What to know before installing: - Core behavior: HireMe Pro appears to run locally: it parses pasted text or uploaded resumes into a local JSON (data/resume-data.json) and uses Playwright to render HTML templates to PDF. The included shell script enforces that input/output paths stay inside the skill directory and blocks outbound network requests when rendering. - Playwright is required: you'll need Python + Playwright (pip3 install playwright && playwright install chromium) for PDF generation. Installing Playwright downloads Chromium; consider that network activity happens during Playwright install, not during resume rendering. - Dashboard is optional: the repository contains a dashboard-kit and deployment docs for a web app (Vercel + Supabase) which requires cloud env vars/keys. You do not need to provide these keys for the local agent skill to work — only enable them if you plan to deploy the companion web service. - PII storage: resume data is stored locally under the skill's data/ directory. The package recommends chmod 600/700 for files and directories, but if your device syncs backups (iCloud, Dropbox, Google Drive) the data directory may be uploaded — exclude it from sync if you want purely local storage. - Setup prompts and copy commands: the SETUP-PROMPT instructs copying files into skills/hireme-pro/ and changing permissions. Running those commands will modify files on the host. Review the copy and chmod commands and ensure you run them in a trusted workspace (they do not request network access or credentials). - Prompt-injection: the skill explicitly defends against prompt-injection and the scanner flagged example strings; those are benign here because they are part of the defense guidance. - If cautious: inspect scripts/generate-resume-pdf.sh and the templates yourself (they are small and readable), run the tool in a restricted/sandboxed environment first, and do not provide cloud secrets unless you intentionally deploy the dashboard. Overall: the package is coherent with its stated purpose and does not request unexplained credentials or global privileges. The main operational risk is typical handling of PII on your machine and whether you choose to deploy the optional cloud dashboard (which would require cloud keys).

Type: OpenClaw Skill Name: normieclaw-hireme-pro Version: 1.0.3 The HireMe Pro skill bundle provides career coaching features that require high-risk capabilities, including shell execution for PDF generation (scripts/generate-resume-pdf.sh), network access for job fetching and salary research, and the management of sensitive PII. Although the bundle incorporates robust security controls—such as path validation, a Playwright request interceptor to prevent data exfiltration, and explicit prompt-injection defenses in SKILL.md—the presence of these powerful tools for file, shell, and network access warrants a suspicious classification according to the provided criteria for risky capabilities without clear malicious intent.