← 返回 Skills 市场
sxffly

resume-jd-matcher

作者 sxffly · GitHub ↗ · v2.0.3 · MIT-0
cross-platform ⚠ suspicious
119
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install resume-jd-matcher
功能描述
批量解析简历并与岗位 JD 进行 AI 智能匹配,生成结构化匹配报告(Excel)
安全使用建议
This skill appears to implement resume↔JD matching, but proceed cautiously. Key concerns: 1) The repo includes hard-coded API keys and bearer tokens in references/config_resume_match.yaml — treat these as insecure and remove them before use; do NOT assume they are safe or your own. 2) If you enable 'api' mode (or if the skill falls back to the included config), the skill will send full resume text (sensitive personal data) to external third-party endpoints — verify which endpoint and credential will actually be used. 3) main.py expects an import path (resume_match_v2.0.2.py) that isn't in the package — this mismatch could cause failures or unexpected behavior; inspect/repair the entrypoint before running. 4) The skill writes parsed resume JSON files to disk (parsed/ folder) — ensure your environment is secure and permitted to store those files. Recommended actions before installing/running: a) Inspect and remove any embedded api_key values from config files; b) Create/verify a config_resume_match.yaml that uses only your approved endpoints/keys or uses 'subagent' mode; c) Run in a safe test environment with non-sensitive sample resumes; d) Consider disabling API mode or running offline if you cannot verify the third‑party providers; e) Fix the inconsistent import/path references (or run the provided scripts directly) and confirm expected behavior. If you want, I can point to the exact lines/files containing embedded keys and the dynamic import for quick remediation.
功能分析
Type: OpenClaw Skill Name: resume-jd-matcher Version: 2.0.3 The skill bundle contains multiple hardcoded, high-privilege AI service API keys and Bearer tokens (Tencent, Alibaba, and CMHK) within 'references/config_resume_match.yaml', which is a severe security vulnerability. Additionally, 'main.py' uses dynamic module loading via 'importlib.util' from hardcoded absolute paths (C:\Users\Administrator\...), and the scripts rely on broad file system access to specific directories. While the logic appears to serve the stated purpose of resume matching and lacks clear evidence of intentional data exfiltration or backdoors, the credential exposure and fragile execution patterns pose a significant security risk.
能力评估
Purpose & Capability
Name/description (resume ↔ JD matching) aligns with the code: scripts parse .docx/.pdf, create tasks, call subagents or external APIs, and produce Excel output. However there are mismatches: main.py dynamically imports a file at C:\Users\Administrator\.openclaw\workspace\resume_match_v2.0.2.py which is not present in the package (the repo has scripts/resume_match.py). Config/example files use different default paths (D:\ vs C:\) across SKILL.md, README, and _meta.json. These inconsistent paths/import targets make runtime behavior unclear and could cause failures or unexpected fallbacks.
Instruction Scope
SKILL.md and code intentionally read local resume/JD files and write outputs including parsed JSON copies of each resume into a parsed/ folder — expected for the feature but means full resume text is persisted to disk. In 'api' mode the skill will send entire resume text to configured external endpoints. The SKILL.md claims subagent mode needs no API keys, but the code and config support an 'api' mode that will transmit potentially sensitive resume content to third‑party APIs. The instructions and code do not request unrelated system files, but they do write parsed personal data to disk and may call external services if API mode is enabled.
Install Mechanism
There is no separate install spec or remote download — risk from installation mechanism is low. The skill is provided as code files (no arbitrary archive downloads).
Credentials
Registry metadata declares no required environment variables or primary credential, but the included references/config_resume_match.yaml contains multiple hard-coded API keys and bearer tokens for various providers (e.g., entries under 'api_providers' with api_key values). Embedding third‑party API keys in the repository is a red flag: (1) those keys may be stale/leaked credentials belonging to someone else, (2) the skill can be switched into 'api' mode and will send full resume contents to external endpoints using those credentials. The skill's declared permissions (sessions_spawn, subagents, sessions_history) are appropriate for subagent operation, but the presence of embedded secrets is disproportionate to the stated 'no env needed' claim and increases data‑exfiltration risk.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide privileges. It does require OpenClaw subagent-related permissions (sessions_spawn, subagents, sessions_history) which are consistent with its design to spawn child agents. The skill does not appear to modify other skills or system-wide settings.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install resume-jd-matcher
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /resume-jd-matcher 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.3
Resume-JD-Matcher 2.0.3: Major upgrade with dual-mode support and efficiency improvements - Added dual working modes: "subagent" (for OpenClaw) and "api" (standalone script with AI API). - Now supports batch parsing of resumes and job descriptions, with AI-powered structure matching and Excel report generation. - Improved performance: supports concurrent processing, configurable parallelism (default 3), and incremental processing (skip already-matched resumes). - Enhanced configuration flexibility: detailed YAML-based setup for paths, API, logging, and advanced parameters. - Output now includes structured Excel reports with both detailed analysis and summary sheets. - Updated documentation with workflows, directory structure requirements, mode comparison, troubleshooting, and dependency lists.
元数据
Slug resume-jd-matcher
版本 2.0.3
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

resume-jd-matcher 是什么?

批量解析简历并与岗位 JD 进行 AI 智能匹配,生成结构化匹配报告(Excel). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 119 次。

如何安装 resume-jd-matcher?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install resume-jd-matcher」即可一键安装,无需额外配置。

resume-jd-matcher 是免费的吗?

是的,resume-jd-matcher 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

resume-jd-matcher 支持哪些平台?

resume-jd-matcher 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 resume-jd-matcher?

由 sxffly(@sxffly)开发并维护,当前版本 v2.0.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 留言讨论