Back to skill
Skillv1.4.4
ClawScan security
Pm Interview Coach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 6:00 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and included script align with its PM-interview coaching purpose and do not ask for unrelated credentials, but review the claims about 'no upload' because the runtime uses external search/image/model tooling that may transmit data depending on your environment.
- Guidance
- This skill appears coherent for PM interview practice, but check two things before installing: (1) mcporter/mcp and the MiniMax-VL-01 model calls: confirm whether these run locally or call hosted services — if hosted, avoid sending sensitive resume content and prefer pasted anonymized text or dummy data; (2) the script will download remote images into ~/.openclaw/workspace/xhs_interview_images — inspect and clean that directory as needed. Also ensure your mcporter/Xiaohongshu tooling is configured with least-privilege credentials and test the workflow with non-sensitive data first.
Review Dimensions
- Purpose & Capability
- okName/description (PM interview coach) match the behavior: reads resumes (PDF or text), searches Xiaohongshu for interview posts, downloads post images, and uses a multimodal model to extract questions. The included script (fetch_xhs_interview.py) and reference docs directly support the stated functionality. There are no unrelated required env vars or binaries.
- Instruction Scope
- noteSKILL.md mandates collecting resume + company + round and then searching Xiaohongshu and reading post text/images. That stays inside the stated purpose. However the skill explicitly uses: (a) a local mcporter/mcp API to query Xiaohongshu, (b) downloads images from remote URLs, and (c) invokes the MiniMax-VL-01 model for image understanding. The README also lists pdfplumber and mcporter prerequisites. The skill's 'Security Declaration' states it does not upload or transmit resumes/personal info and that processing is local — this can be true only if your agent/tooling keeps all calls local. If your mcporter/mcp or model calls are hosted services, data (images, queries, or resume text) could be sent externally. The skill also writes downloaded images to ~/.openclaw/workspace/xhs_interview_images, which is normal but persistent on disk.
- Install Mechanism
- okThere is no install specification for the skill bundle; it's instruction-heavy with one small Python utility. README suggests pip installs for pdfplumber/pypdf but no automated remote installs are declared in the package. No high-risk download/install URLs are present.
- Credentials
- okThe skill declares no required environment variables or credentials. Runtime interaction does require Xiaohongshu-specific tokens/arguments (feed_id, xsec_token) provided when calling the mcporter tool; these are reasonable for fetching posts. No unrelated secrets (AWS keys, system tokens, etc.) are requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. It writes downloaded images into a skill workspace directory but does not attempt to modify other skills or global agent configuration.