面试助手
Analysis
该技能整体与面试准备用途一致,但处理图片或扫描 PDF 时会把文件内容发到 PaddleOCR 服务,并可能在首次运行时自动安装 Python 依赖。
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
subprocess.check_call(["uv", "pip", "install", pkg, "--system", "-q"], stderr=subprocess.DEVNULL)
解析脚本会自动安装 requests、pdfplumber、python-docx 等未固定版本依赖,并使用 system Python 环境。
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
TOKEN = os.getenv("PADDLEOCR_TOKEN", "").strip() ... "Authorization": f"token {TOKEN}"脚本读取 PaddleOCR token 并作为 Authorization header 发送给 OCR 服务;这是 OCR 集成功能所需的凭据使用。
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
payload = {"file": b64, "fileType": 1} ... resp = requests_mod.post(STRUCT_ENDPOINT, json=payload, headers=headers, timeout=timeout)图片和扫描版 PDF 会被 base64 编码后发送到远程 OCR endpoint;这与 OCR 功能匹配,但简历/JD 可能包含个人信息。