ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Career Planner 职业规划顾问

v1.0.0

A professional AI career planning advisor that guides users step-by-step through a structured interview to understand their background, skills, interests, si...

0· 37·0 current·0 all-time
by@jzw6
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and included reference files (role database, skill→role map, report template) align with a career-planning advisor. No unrelated binaries, credentials, or config paths are requested.
!
Instruction Scope
The runtime instructions direct a full intake → synthesis → optional web-research → report flow which is appropriate, but the file contains detected unicode-control-chars (prompt-injection pattern). The SKILL.md also tells the agent to "always use it" for many vague triggers which can cause over-invocation; combined with invisible control characters this could be an attempt to influence model behavior or bypass guards.
Install Mechanism
No install spec and no code files. Instruction-only skills are lowest-risk from an install perspective; nothing will be downloaded or written by the skill itself.
Credentials
The skill requests no environment variables, credentials, or system paths — proportional and appropriate for its purpose.
Persistence & Privilege
always:false (not force-included) and model invocation is allowed (platform default). The skill does not request elevated persistence or modify other skills/configs.
Scan Findings in Context
[unicode-control-chars] unexpected: Invisible/unicode control characters are not expected in a normal instruction document for a career advisor. They can be used to hide embedded instructions or to try to influence model parsing/behavior (prompt-injection technique). Recommend manual review/removal before deployment.
What to consider before installing
This skill appears to be what it claims (an end-to-end career-planning workflow) and poses no obvious credential or install risks, but there is a detected prompt-injection signal (unicode control characters) and the skill aggressively instructs the agent to trigger for many vague phrases. Before installing: (1) Inspect SKILL.md in a plain-text viewer that reveals invisible characters; remove any unexpected control characters. (2) Ask the publisher/source why those characters are present or provide a clean copy. (3) If you can, test the skill in a sandboxed agent where it cannot access sensitive data or make external calls, and monitor what triggers it uses. (4) Prefer user-invoked only usage (disable autonomous invocation) if you cannot verify the file, and avoid entering sensitive personal or credential information during interviews. (5) Verify any web-sourced salary or certification claims cited by the skill. If the skill's origin remains unknown or you see hidden instructions, do not enable it for general/autonomous use.

Like a lobster shell, security has layers — review code before you run it.

latestvk973tq0jvzsg1xagbqc90p3zex83rjbg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments