resume-jd-matcher 安全扫描报告 — 高风险 | ClawSafe

65 /100

resume-jd-matcher

批量解析简历并与岗位 JD 进行 AI 智能匹配，生成结构化匹配报告（Excel）

Skill contains 3 real hardcoded API keys and 5 placeholder keys in config files - credentials exposed in plaintext, though functionality appears consistent with stated resume matching purpose.

技能名称resume-jd-matcher

分析耗时46.0s

引擎pi

⛔

不要安装此技能

Remove all hardcoded API keys from config files. Use environment variables (e.g., os.environ['TENANT_API_KEY']) or a secrets manager. The credential exposure is severe but there is no evidence of exfiltration beyond legitimate API calls.

安全发现 5 项

严重性	安全发现	位置
严重	Hardcoded Real API Keys in Configuration Three real API keys are hardcoded in config_resume_match.yaml: Tencent Hunyuan key, Alibaba Qwen key, and CMHK bearer token. These credentials are exposed in plaintext. `api_key: "sk-sp-sq7Y7eo9L0vgFpuESFLq5YsQB8qumjDnwOPeciB9v3F0BSKv"` → Remove hardcoded API keys. Use environment variables: api_key: os.environ.get('TENCENT_API_KEY')	`references/config_resume_match.yaml:39`
严重	Hardcoded API Key in Config File Real Alibaba API key found in config_resume_match.yaml `api_key: "sk-sp-3e0faf520b904151914a663bdbc884f7"` → Remove hardcoded API key. Use environment variables.	`references/config_resume_match.yaml:47`
严重	Hardcoded Bearer Token in Config File CMHK bearer token found in config_resume_match.yaml `api_key: "Bearer YmQzNDQwYzYtNWZjMS00ZDNhLWFmZGQtYjc1MTUyZTg1YjJl"` → Remove hardcoded bearer token. Use environment variables.	`references/config_resume_match.yaml:31`
中危	Placeholder API Keys in Config Files 5 placeholder keys found with pattern 'YOUR_*_API_KEY' - these are not immediately dangerous but indicate the credential management pattern `api_key: "YOUR_BAIDU_API_KEY"` → Replace with environment variable references for production use	`references/config_resume_match.yaml, references/config_template.yaml:55, 63, 71, 23, 31, 39`
低危	No Version Pinning for Dependencies SKILL.md lists dependencies without version constraints, though requirements.txt in code uses >= operators `openpyxl>=3.0.0` → Consider pinning exact versions for reproducibility	`SKILL.md:108`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ/WRITE`	`READ/WRITE`	✓ 一致	SKILL.md: Reads .docx/.pdf files, writes Excel output
网络访问	`READ`	`READ`	✓ 一致	config_resume_match.yaml: Makes API calls to external AI services
技能调用	`ADMIN`	`ADMIN`	✓ 一致	_meta.json: sessions_spawn, subagents, sessions_history
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found

8 高危 17 项发现

🔑

高危 API 密钥疑似硬编码凭证

api_key: "sk-sp-sq7Y7eo9L0vgFpuESFLq5YsQB8qumjDnwOPeciB9v3F0BSKv"

references/config_resume_match.yaml:39

🔑

高危 API 密钥疑似硬编码凭证

api_key: "sk-sp-3e0faf520b904151914a663bdbc884f7"

references/config_resume_match.yaml:47

🔑

高危 API 密钥疑似硬编码凭证

api_key: "YOUR_BAIDU_API_KEY"

references/config_resume_match.yaml:55

🔑

高危 API 密钥疑似硬编码凭证

api_key: "YOUR_DEEPSEEK_API_KEY"

references/config_resume_match.yaml:63

🔑

高危 API 密钥疑似硬编码凭证

api_key: "YOUR_MOONSHOT_API_KEY"

references/config_resume_match.yaml:71

🔑

高危 API 密钥疑似硬编码凭证

api_key: "YOUR_TENCENT_API_KEY"

references/config_template.yaml:23

🔑

高危 API 密钥疑似硬编码凭证

api_key: "YOUR_ALIBABA_API_KEY"

references/config_template.yaml:31

🔑

高危 API 密钥疑似硬编码凭证

api_key: "YOUR_CMHK_API_KEY"

references/config_template.yaml:39

🔗

中危外部 URL 外部 URL

https://api.hunyuan.tencent.com/v1/chat/completions

SKILL.md:96

🔗

中危外部 URL 外部 URL

https://opensseapi.cmhk.com/CMHK-LMMP-PRD_Qwen3_235B/CMHK-LMMP-PRD/v1/chat/completions

references/config_resume_match.yaml:29

🔗

中危外部 URL 外部 URL

https://api.lkeap.cloud.tencent.com/coding/anthropic/v1/messages

references/config_resume_match.yaml:40

🔗

中危外部 URL 外部 URL

https://coding.dashscope.aliyuncs.com/v1

references/config_resume_match.yaml:48

🔗

中危外部 URL 外部 URL

https://qianfan.baidubce.com/v2/chat/completions

references/config_resume_match.yaml:56

🔗

中危外部 URL 外部 URL

https://api.deepseek.com/v1/chat/completions

references/config_resume_match.yaml:64

🔗

中危外部 URL 外部 URL

https://api.moonshot.cn/v1/chat/completions

references/config_resume_match.yaml:72

🔗

中危外部 URL 外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions

references/config_template.yaml:32

📧

提示邮箱邮箱地址

[email protected]

README.md:8

目录结构

9 文件 · 73.8 KB · 2163 行

Python 4f · 1546L Markdown 2f · 408L YAML 2f · 191L JSON 1f · 18L

├─ ▾ 📁 references

│ ├─ 📋 config_resume_match.yaml YAML 139L · 4.2 KB

│ └─ 📋 config_template.yaml YAML 52L · 1.6 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 batch_processor.py Python 206L · 6.8 KB

│ ├─ 🐍 resume_match.py Python 835L · 34.0 KB

│ └─ 🐍 skill_handler.py Python 374L · 12.9 KB

├─ 📋 _meta.json JSON 18L · 590 B

├─ 🐍 main.py Python 131L · 4.1 KB

├─ 📝 README.md Markdown 203L · 4.7 KB

└─ 📝 SKILL.md Markdown 205L · 4.9 KB

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`openpyxl`	`>=3.0.0`	pip	否	Version constraint only, not pinned
`requests`	`>=2.28.0`	pip	否	Version constraint only, not pinned
`python-docx`	`>=0.8.0`	pip	否	Version constraint only, not pinned
`pyyaml`	`>=6.0.0`	pip	否	Version constraint only, not pinned
`pdfplumber`	`>=0.11.0`	pip	否	Version constraint only, not pinned

安全亮点

✓ No shell execution or subprocess usage found

✓ No suspicious base64 encoded payloads

✓ No hidden instructions in HTML comments

✓ No credential exfiltration detected beyond legitimate API usage

✓ File system access is consistent with stated purpose (reading resumes, writing Excel)

✓ Network access is limited to declared AI API services