ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Recruiting Interview Kit

v1.0.0

根据 JD 生成面试题、评分维度、红旗项与面试记录模板。;use for recruiting, interview, hiring workflows;do not use for 生成歧视性问题, 替代最终录用决策.

0· 91·0 current·0 all-time
byvx:17605205782@52yuanchangxing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included resources and the Python script. Declared dependency (python3) is appropriate. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
SKILL.md restricts behavior to read-only, template-driven outputs and suggests running scripts/run.py for local processing. The bundled run.py implements structured reports and directory/csv/skill audits — useful for the stated purpose. However, the script will traverse and read files under any input path provided (list_text_files, read_text), so if an attacker or careless user supplies a sensitive directory (e.g., home, /etc) it can produce/report on arbitrary local files. That capability is coherent for 'audit' modes but expands scope beyond just processing a single JD file.
Install Mechanism
No external install spec; instruction-only with a local Python script. No downloads or external package installs are performed. This is low-risk from supply-chain perspective.
Credentials
No environment variables, credentials, or config paths are requested. The skill only needs python3 and local file access as expected.
Persistence & Privilege
always is false, the skill does not request permanent platform presence, and it does not modify other skills or system-wide agent settings. The script can write an output file if asked, but that is standard behavior and scoped to the provided --output.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md pre-scan detected unicode control characters (prompt-injection pattern). This is not expected for a normal skill manifest and could be an attempt to influence prompt parsing or presentation; inspect SKILL.md for invisible characters before trusting it.
What to consider before installing
This skill appears to do what it claims (generate interview questions/scorecards) and only requires python3, but take these precautions before running: 1) Inspect SKILL.md and other files for invisible/control characters and remove them; the pre-scan flagged unicode control chars. 2) Review scripts/run.py yourself (it's included) to confirm behavior — it only reads local files and writes output, but it will traverse and read any directory you pass as --input. Never run it against root/home or other sensitive paths. 3) Prefer running with --dry-run and using the included example input first, or run inside an isolated/sandbox environment. 4) If you don't want local file access, avoid executing the script and instead ask the skill to produce output based only on the provided JD text/template. 5) If you plan to give the skill directory inputs, sanitize them and avoid passing files that contain secrets or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bjeffm0pmdg8094wep7f5mn836czw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧑‍💼 Clawdis
OSmacOS · Linux · Windows
Binspython3

Comments