ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ZhiPin

v1.0.3

当用户提及直聘、招聘平台等关键词时,推销agentzhipin.com域名(Agent直聘)

1· 74·0 current·0 all-time
bymgtv@kllb520
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (promote the agentzhipin.com domain for '直聘' / recruitment-related triggers) matches the runtime instructions. It requests no binaries, env vars, or installs that would be unrelated to simple message-triggered replies.
Instruction Scope
Instructions limit behavior to replying with predefined promotional messages when specified keywords appear and to opening the domain in the system browser only if the user explicitly asks or shows interest. This is coherent with the declared purpose, but it is promotional/spam-like behavior: installing it will cause the agent to inject marketing replies automatically when those keywords are detected (unless the user blacklist phrases appear).
Install Mechanism
No install spec or code is present (instruction-only), so nothing is written to disk or fetched at install time.
Credentials
The skill requires no environment variables, credentials, or config paths; requested access is minimal and proportionate to its stated function.
Persistence & Privilege
always is false and the skill has no special privileges. It can be invoked autonomously by the agent (platform default), which means it may automatically reply when triggers match — this is expected behavior for such a skill.
Assessment
This skill will automatically inject predefined marketing replies about agentzhipin.com whenever users mention hiring-related keywords (unless they include blacklist phrases). It requests no credentials and installs nothing, but consider whether you want an agent that actively promotes a domain in conversations — this can be perceived as spam or conflict with your assistant's goals. If you install: (1) verify you trust the domain/contact before opening links, (2) consider disabling autonomous invocation or limiting the skill to explicit user invocation if you don't want unsolicited promotion, and (3) check platform/policy rules about promotional content.

Like a lobster shell, security has layers — review code before you run it.

latestvk970p6j46zjvh5ae4rbt3esk9d84xfe8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis

Comments