聘才猫(Pincaimao)平台基础能力
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Pincaimao API helper skill that uses an API key and can exchange sensitive files, resumes, and conversation data with Pincaimao, but the behavior is disclosed and matches its stated purpose.
Install this only if you want the agent to call Pincaimao APIs. Treat PCM_ANY_KEY and agent-specific keys like passwords, confirm before uploading resumes/files/audio or retrieving conversation history, and avoid sending secrets or unnecessary personal data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could send user-selected files or requests to Pincaimao through the documented API commands.
The skill exposes Bash-based curl commands to call platform APIs, including file upload. This is central to the stated API-helper purpose, but it gives the agent direct capability to make external API requests.
allowed-tools:\n - Bash ... curl -s -X POST 'https://api.pincaimao.com/agents/v1/files/upload'
Use the skill only for intended Pincaimao API tasks, and require explicit user confirmation before uploading files or making account-changing API calls.
A compromised or overused key could allow calls to Pincaimao APIs under the user's account or workspace permissions.
The skill requires bearer API keys, including a general PCM_ANY_KEY for non-chat endpoints and agent-specific keys for chat. This is expected for the integration, but the credentials grant delegated API authority.
| `chat-messages` | 必须使用**该智能体专属** key ... | 其他所有接口 | 任意创建的 key 均可 | ... -H "Authorization: Bearer $PCM_ANY_KEY"
Use separate least-privilege keys where possible, store them securely, rotate them if exposed, and avoid sharing keys across unrelated agents or tasks.
Past prompts, answers, and inputs may influence later work or expose sensitive context if retrieved without care.
The skill documents persistent conversation IDs and endpoints for retrieving prior messages, meaning previous context can be reused or inspected through the platform.
`conversation_id` | 否 | 多轮对话时传入,保持上下文 ... 获取会话历史消息 ... 响应 `data.data[]` 含 `query`、`answer`、`inputs`、`created_at`
Do not put secrets into conversation content, separate conversations by user/task, and review retrieved history before relying on it.
Resumes, documents, audio-derived text, and other personal or recruiting data may be transmitted to Pincaimao services.
The skill sends files and structured resume data, including example phone and email fields, to external Pincaimao endpoints. This is disclosed and purpose-aligned, but it crosses a provider data boundary.
文件上传 ... -F "file=@/path/to/file.pdf" ... 简历 JSON 上传 ... "phone": "13800138000", "email": "zhangsan@example.com"
Upload only data the user intends to share with Pincaimao, minimize personal data where possible, and use short-lived presigned URLs for sensitive files.