AI Interview Simulator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ai-interview-simulator-candaigo Version: 1.0.2 The skill bundle provides an AI interview simulator. While the primary purpose appears benign, the `SKILL.md` file includes instructions for uploading resumes that involve base64 encoding local files (`base64 -i resume.pdf`) and sending them to `https://me.candaigo.com/api/v2/agent/resume/upload`. This capability, if combined with a vulnerable AI agent susceptible to prompt injection, could be abused to exfiltrate arbitrary local files (e.g., sensitive system files or credentials) by instructing the agent to encode and upload a different file path. This represents a risky capability without clear malicious intent within the skill bundle itself, thus classifying it as suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or start interview rooms, send messages, or advance an interview if the user provides an API key and asks it to use these API calls.
The skill documents direct POST calls that mutate external interview-room state and send speech content. This is aligned with the simulator purpose, but it is still an account action the user should confirm.
curl -X POST https://me.candaigo.com/api/v2/agent/rooms ... /rooms/ROOM_ID/start ... /rooms/ROOM_ID/speak ... /rooms/ROOM_ID/advance
Confirm the room, action, and message content before allowing POST requests, especially for speak, start, and advance actions.
Anyone with the API key may be able to act through the Candaigo agent API as that registered agent.
The skill requires a bearer API key for Candaigo API access. This is expected for the service integration and no hardcoded or leaked credential is shown, but it gives account-level authority to API calls.
所有请求需在 Header 中携带 API Key:curl https://me.candaigo.com/api/v2/agent/jobs -H "Authorization: Bearer YOUR_API_KEY"
Use a dedicated API key for this skill, avoid sharing it in public or shared chats, and revoke or rotate it if it may have been exposed.
Resume details, interview messages, participant information, and evaluations may be transmitted to and stored by the Candaigo service.
The skill directs data to an external provider and explicitly includes resume upload and interview history functionality. That is purpose-aligned, but resumes, interview transcripts, and evaluations can contain sensitive personal information.
Base URL: `https://me.candaigo.com` ... description: Candaigo AI Interview Simulator ... check history, upload resumes.
Only upload resumes or interview content you are comfortable sharing with the provider; redact unnecessary personal information and review the service’s privacy terms.