安全决策报告

resume-jd-matcher

Name: resume-jd-matcher 可信度判断报告
Item: resume-jd-matcher
Rating: 35
Author: ClawSafe

Skill contains 3 real hardcoded API keys and 5 placeholder keys in config files - credentials exposed in plaintext, though functionality appears consistent with stated resume matching purpose.

安装决策优先来源: 手动上传扫描时间: 2026/4/3

文件 9

IOC 17

越权项 0

发现 5

最直接的威胁证据

严重

Hardcoded Real API Keys in Configuration

Three real API keys are hardcoded in config_resume_match.yaml: Tencent Hunyuan key, Alibaba Qwen key, and CMHK bearer token. These credentials are exposed in plaintext.

references/config_resume_match.yaml:39

为什么得出这个结论

2/4 个维度触发

通过

声明与实际能力

声明资源与推断能力基本一致。

阻止

隐藏执行与外联

提取到 8 个高危 IOC 或外联信号。

阻止

攻击链与高危发现

报告包含 0 步攻击链，另有 3 项高危或严重发现。

复核

依赖与供应链卫生

发现 5 项需要关注的依赖或供应链线索。

风险分是怎么被拉高的

Hardcoded credentials in config files +45

3 real API keys and 5 placeholder keys found in config_resume_match.yaml and config_template.yaml

Credential storage in plaintext +20

API keys stored as plaintext strings, no encryption or env var usage

最关键的证据

严重

Hardcoded Real API Keys in Configuration

Three real API keys are hardcoded in config_resume_match.yaml: Tencent Hunyuan key, Alibaba Qwen key, and CMHK bearer token. These credentials are exposed in plaintext.

references/config_resume_match.yaml:39

Remove hardcoded API keys. Use environment variables: api_key: os.environ.get('TENCENT_API_KEY')

严重

Hardcoded API Key in Config File

Real Alibaba API key found in config_resume_match.yaml

references/config_resume_match.yaml:47

Remove hardcoded API key. Use environment variables.

严重

Hardcoded Bearer Token in Config File

CMHK bearer token found in config_resume_match.yaml

references/config_resume_match.yaml:31

Remove hardcoded bearer token. Use environment variables.

中危

Placeholder API Keys in Config Files

5 placeholder keys found with pattern 'YOUR_*_API_KEY' - these are not immediately dangerous but indicate the credential management pattern

references/config_resume_match.yaml, references/config_template.yaml:55, 63, 71, 23, 31, 39

Replace with environment variable references for production use

低危

No Version Pinning for Dependencies

SKILL.md lists dependencies without version constraints, though requirements.txt in code uses >= operators

SKILL.md:108

Consider pinning exact versions for reproducibility

声明能力 vs 实际能力

文件系统 通过

声明 READ/WRITE

→

推断 READ/WRITE

SKILL.md: Reads .docx/.pdf files, writes Excel output

网络访问 通过

声明 READ

→

推断 READ

config_resume_match.yaml: Makes API calls to external AI services

技能调用 通过

声明 ADMIN

→

推断 ADMIN

_meta.json: sessions_spawn, subagents, sessions_history

命令执行 通过

声明 NONE

→

推断 NONE

No subprocess or shell execution found

可疑产物与外联

高危 API 密钥

api_key: "sk-sp-sq7Y7eo9L0vgFpuESFLq5YsQB8qumjDnwOPeciB9v3F0BSKv"

references/config_resume_match.yaml:39

高危 API 密钥

api_key: "sk-sp-3e0faf520b904151914a663bdbc884f7"

references/config_resume_match.yaml:47

高危 API 密钥

api_key: "YOUR_BAIDU_API_KEY"

references/config_resume_match.yaml:55

高危 API 密钥

api_key: "YOUR_DEEPSEEK_API_KEY"

references/config_resume_match.yaml:63

高危 API 密钥

api_key: "YOUR_MOONSHOT_API_KEY"

references/config_resume_match.yaml:71

高危 API 密钥

api_key: "YOUR_TENCENT_API_KEY"

references/config_template.yaml:23

高危 API 密钥

api_key: "YOUR_ALIBABA_API_KEY"

references/config_template.yaml:31

高危 API 密钥

api_key: "YOUR_CMHK_API_KEY"

references/config_template.yaml:39

中危外部 URL

https://api.hunyuan.tencent.com/v1/chat/completions

SKILL.md:96

中危外部 URL

https://opensseapi.cmhk.com/CMHK-LMMP-PRD_Qwen3_235B/CMHK-LMMP-PRD/v1/chat/completions

references/config_resume_match.yaml:29

中危外部 URL

https://api.lkeap.cloud.tencent.com/coding/anthropic/v1/messages

references/config_resume_match.yaml:40

中危外部 URL

https://coding.dashscope.aliyuncs.com/v1

references/config_resume_match.yaml:48

依赖与供应链

包名	版本	来源	漏洞	备注
openpyxl	`>=3.0.0`	pip	否	Version constraint only, not pinned
requests	`>=2.28.0`	pip	否	Version constraint only, not pinned
python-docx	`>=0.8.0`	pip	否	Version constraint only, not pinned
pyyaml	`>=6.0.0`	pip	否	Version constraint only, not pinned
pdfplumber	`>=0.11.0`	pip	否	Version constraint only, not pinned

文件构成

9 个文件 · 2163 行

Python 4 个文件 · 1546 行Markdown 2 个文件 · 408 行YAML 2 个文件 · 191 行JSON 1 个文件 · 18 行

需关注文件 · 4

SKILL.md Markdown · 205 行

No Version Pinning for Dependencies · https://api.hunyuan.tencent.com/v1/chat/completions

README.md Markdown · 203 行

[email protected]

references/config_resume_match.yaml YAML · 139 行

Hardcoded Real API Keys in Configuration · Hardcoded API Key in Config File · Hardcoded Bearer Token in Config File · api_key: "sk-sp-sq7Y7eo9L0vgFpuESFLq5YsQB8qumjDnwOPeciB9v3F0BSKv" · api_key: "sk-sp-3e0faf520b904151914a663bdbc884f7" · api_key: "YOUR_BAIDU_API_KEY" · api_key: "YOUR_DEEPSEEK_API_KEY" · api_key: "YOUR_MOONSHOT_API_KEY" · https://opensseapi.cmhk.com/CMHK-LMMP-PRD_Qwen3_235B/CMHK-LMMP-PRD/v1/chat/completions · https://api.lkeap.cloud.tencent.com/coding/anthropic/v1/messages · https://coding.dashscope.aliyuncs.com/v1 · https://qianfan.baidubce.com/v2/chat/completions · https://api.deepseek.com/v1/chat/completions · https://api.moonshot.cn/v1/chat/completions

references/config_template.yaml YAML · 52 行

api_key: "YOUR_TENCENT_API_KEY" · api_key: "YOUR_ALIBABA_API_KEY" · api_key: "YOUR_CMHK_API_KEY" · https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions

其他文件 · resume_match.py · skill_handler.py · batch_processor.py · main.py · _meta.json

安全亮点

No shell execution or subprocess usage found

No suspicious base64 encoded payloads

No hidden instructions in HTML comments

No credential exfiltration detected beyond legitimate API usage

File system access is consistent with stated purpose (reading resumes, writing Excel)

Network access is limited to declared AI API services