Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Interview Question Gen
v1.0.0Generate structured WePlay activity operations interview questions from a resume and append a detailed evaluation using the interview transcript in a Feishu...
⭐ 0· 112·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description match the instructions: it converts resumes → Feishu interview docs and appends evaluations from transcripts. However, the SKILL.md refers to using PyMuPDF and a local script (feishu_bot_doc.mjs) that are not declared or provided. Also the instructions hard-code a Feishu folder ID and a default collaborator (ou_8b357150...), which is plausible for an internal tool but is unexpected for a generic skill and could cause documents to be saved/shared without explicit user consent.
Instruction Scope
Instructions ask the agent to read local resume files (PDF → /tmp/*.png) and to fetch a Feishu wiki URL — appropriate for the task. Concern: the doc creation step relies on an external node script (feishu_bot_doc.mjs) and agent actions like feishu_doc append/read. The behavior will write candidate data into a specific default folder and add a specific collaborator by default; that is a potential privacy/data-sharing surprise. The SKILL.md does not instruct any unrelated file/credential reads, but the unspecified node script could itself perform additional actions (not visible here).
Install Mechanism
This is an instruction-only skill with no install spec (low disk-write risk). However it references third-party libraries (PyMuPDF via import fitz) and a local node script. Because they are not bundled or declared, the agent/platform must already provide them — if not, the steps will fail or the user/operator might install ad-hoc tools. Missing dependency documentation is a practical risk and should be clarified.
Credentials
The skill declares no required environment variables or credentials, but its actions require Feishu access (feishu_doc actions / node script). The hard-coded default folder ID and collaborator imply that outputs will be stored/shared to a specific organization/person; that is a disproportionate/opaque sharing decision for a general-purpose interview generator. No other unrelated credentials are requested.
Persistence & Privilege
always:false and no install spec means the skill does not request persistent, forced inclusion or system-level privileges. It does request write access to a Feishu document (expected for the described function). There is no evidence it modifies other skills or system configuration.
What to consider before installing
Before installing or running this skill, confirm these points: (1) where will generated documents be stored and who will be added as collaborator? The SKILL.md hard-codes a Feishu folder ID and a collaborator (ou_8b357150...), so verify you want candidate data shared there. (2) The runtime expects PyMuPDF (fitz) and a local script named feishu_bot_doc.mjs — these are not included. Ask the author or your platform operator for the exact dependencies and inspect the feishu_bot_doc.mjs source to ensure it doesn't exfiltrate data or call unexpected endpoints. (3) Ensure your Feishu integration credentials are scoped appropriately (limit write scope to intended folder) and test the skill with non-sensitive sample data first. (4) If you need a generic/public skill, request removal of hard-coded folder/collaborator defaults or make them configurable/prompted at runtime. If the maintainer cannot supply the missing scripts/dependencies or justify the default collaborator, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk975pv6bfkq4g4s51s0xzts02x834djp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.