resume-jd-matcher Security Report — High Risk | ClawSafe

65 /100

resume-jd-matcher

批量解析简历并与岗位 JD 进行 AI 智能匹配，生成结构化匹配报告（Excel）

Skill contains 3 real hardcoded API keys and 5 placeholder keys in config files - credentials exposed in plaintext, though functionality appears consistent with stated resume matching purpose.

Skill Nameresume-jd-matcher

Duration46.0s

Enginepi

⛔

Do not install this skill

Remove all hardcoded API keys from config files. Use environment variables (e.g., os.environ['TENANT_API_KEY']) or a secrets manager. The credential exposure is severe but there is no evidence of exfiltration beyond legitimate API calls.

Findings 5 items

Severity	Finding	Location
Critical	Hardcoded Real API Keys in Configuration Three real API keys are hardcoded in config_resume_match.yaml: Tencent Hunyuan key, Alibaba Qwen key, and CMHK bearer token. These credentials are exposed in plaintext. `api_key: "sk-sp-sq7Y7eo9L0vgFpuESFLq5YsQB8qumjDnwOPeciB9v3F0BSKv"` → Remove hardcoded API keys. Use environment variables: api_key: os.environ.get('TENCENT_API_KEY')	`references/config_resume_match.yaml:39`
Critical	Hardcoded API Key in Config File Real Alibaba API key found in config_resume_match.yaml `api_key: "sk-sp-3e0faf520b904151914a663bdbc884f7"` → Remove hardcoded API key. Use environment variables.	`references/config_resume_match.yaml:47`
Critical	Hardcoded Bearer Token in Config File CMHK bearer token found in config_resume_match.yaml `api_key: "Bearer YmQzNDQwYzYtNWZjMS00ZDNhLWFmZGQtYjc1MTUyZTg1YjJl"` → Remove hardcoded bearer token. Use environment variables.	`references/config_resume_match.yaml:31`
Medium	Placeholder API Keys in Config Files 5 placeholder keys found with pattern 'YOUR_*_API_KEY' - these are not immediately dangerous but indicate the credential management pattern `api_key: "YOUR_BAIDU_API_KEY"` → Replace with environment variable references for production use	`references/config_resume_match.yaml, references/config_template.yaml:55, 63, 71, 23, 31, 39`
Low	No Version Pinning for Dependencies SKILL.md lists dependencies without version constraints, though requirements.txt in code uses >= operators `openpyxl>=3.0.0` → Consider pinning exact versions for reproducibility	`SKILL.md:108`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ/WRITE`	`READ/WRITE`	✓ Aligned	SKILL.md: Reads .docx/.pdf files, writes Excel output
Network	`READ`	`READ`	✓ Aligned	config_resume_match.yaml: Makes API calls to external AI services
Skill Invoke	`ADMIN`	`ADMIN`	✓ Aligned	_meta.json: sessions_spawn, subagents, sessions_history
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found

8 High 17 findings

🔑

High API Key 疑似硬编码凭证

api_key: "sk-sp-sq7Y7eo9L0vgFpuESFLq5YsQB8qumjDnwOPeciB9v3F0BSKv"

references/config_resume_match.yaml:39

🔑

High API Key 疑似硬编码凭证

api_key: "sk-sp-3e0faf520b904151914a663bdbc884f7"

references/config_resume_match.yaml:47

🔑

High API Key 疑似硬编码凭证

api_key: "YOUR_BAIDU_API_KEY"

references/config_resume_match.yaml:55

🔑

High API Key 疑似硬编码凭证

api_key: "YOUR_DEEPSEEK_API_KEY"

references/config_resume_match.yaml:63

🔑

High API Key 疑似硬编码凭证

api_key: "YOUR_MOONSHOT_API_KEY"

references/config_resume_match.yaml:71

🔑

High API Key 疑似硬编码凭证

api_key: "YOUR_TENCENT_API_KEY"

references/config_template.yaml:23

🔑

High API Key 疑似硬编码凭证

api_key: "YOUR_ALIBABA_API_KEY"

references/config_template.yaml:31

🔑

High API Key 疑似硬编码凭证

api_key: "YOUR_CMHK_API_KEY"

references/config_template.yaml:39

🔗

Medium External URL 外部 URL

https://api.hunyuan.tencent.com/v1/chat/completions

SKILL.md:96

🔗

Medium External URL 外部 URL

https://opensseapi.cmhk.com/CMHK-LMMP-PRD_Qwen3_235B/CMHK-LMMP-PRD/v1/chat/completions

references/config_resume_match.yaml:29

🔗

Medium External URL 外部 URL

https://api.lkeap.cloud.tencent.com/coding/anthropic/v1/messages

references/config_resume_match.yaml:40

🔗

Medium External URL 外部 URL

https://coding.dashscope.aliyuncs.com/v1

references/config_resume_match.yaml:48

🔗

Medium External URL 外部 URL

https://qianfan.baidubce.com/v2/chat/completions

references/config_resume_match.yaml:56

🔗

Medium External URL 外部 URL

https://api.deepseek.com/v1/chat/completions

references/config_resume_match.yaml:64

🔗

Medium External URL 外部 URL

https://api.moonshot.cn/v1/chat/completions

references/config_resume_match.yaml:72

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions

references/config_template.yaml:32

📧

Info Email 邮箱地址

[email protected]

README.md:8

File Tree

9 files · 73.8 KB · 2163 lines

Python 4f · 1546L Markdown 2f · 408L YAML 2f · 191L JSON 1f · 18L

├─ ▾ 📁 references

│ ├─ 📋 config_resume_match.yaml YAML 139L · 4.2 KB

│ └─ 📋 config_template.yaml YAML 52L · 1.6 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 batch_processor.py Python 206L · 6.8 KB

│ ├─ 🐍 resume_match.py Python 835L · 34.0 KB

│ └─ 🐍 skill_handler.py Python 374L · 12.9 KB

├─ 📋 _meta.json JSON 18L · 590 B

├─ 🐍 main.py Python 131L · 4.1 KB

├─ 📝 README.md Markdown 203L · 4.7 KB

└─ 📝 SKILL.md Markdown 205L · 4.9 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`openpyxl`	`>=3.0.0`	pip	No	Version constraint only, not pinned
`requests`	`>=2.28.0`	pip	No	Version constraint only, not pinned
`python-docx`	`>=0.8.0`	pip	No	Version constraint only, not pinned
`pyyaml`	`>=6.0.0`	pip	No	Version constraint only, not pinned
`pdfplumber`	`>=0.11.0`	pip	No	Version constraint only, not pinned

Security Positives

✓ No shell execution or subprocess usage found

✓ No suspicious base64 encoded payloads

✓ No hidden instructions in HTML comments

✓ No credential exfiltration detected beyond legitimate API usage

✓ File system access is consistent with stated purpose (reading resumes, writing Excel)

✓ Network access is limited to declared AI API services

Scan Report

Findings 5 items

File Tree

Dependencies 5 items

Security Positives