聘才猫(Pincaimao)面试报告
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is purpose-aligned for generating Pincaimao interview reports, but users should notice that it uploads interview materials to Pincaimao and depends on a companion skill.
Before installing, confirm you are comfortable sharing the selected interview record and job description with Pincaimao, protect the PCM_INTERVIEW_REPORT_KEY, and review the separate pincaimao-basic skill if the agent asks to install or load it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can make authenticated Pincaimao API calls using the configured key.
The skill uses a provider API key from the environment to authenticate requests. This is expected for the Pincaimao integration and is disclosed, but it gives the agent delegated access to the user's Pincaimao API account.
Requires PCM_INTERVIEW_REPORT_KEY env var
Use a dedicated, least-privilege Pincaimao key if available, and rotate it if it is exposed.
Interview records, job descriptions, and related hiring materials may leave the local environment and be processed by Pincaimao.
The skill explicitly sends user-provided hiring/interview materials to an external provider API. This is central to the stated purpose and disclosed, but the data can contain sensitive personal or business information.
Resume files, job descriptions, and contract text are transmitted to `api.pincaimao.com` for AI processing
Only upload files you are authorized to share with Pincaimao, and review Pincaimao's privacy and retention terms for interview data.
Uploaded interview files may remain in provider-side storage after the report is generated.
The skill discloses that uploaded files persist in Pincaimao cloud storage and that returned object keys are sensitive. This persistence is expected for the API workflow but should be noticed by users.
Uploaded files are stored on Pincaimao's COS (Cloud Object Storage); returned `cos_key` paths should be treated as sensitive
Avoid uploading unnecessary sensitive material and ask the provider how to delete stored files if retention is a concern.
Installing or loading the companion skill may add additional instructions or capabilities not assessed in this artifact set.
The skill requires a companion skill, pincaimao-basic, but that skill is not included in the provided artifacts for this review. This is a disclosed dependency rather than hidden behavior, but users should review the companion skill separately.
请先检查是否已安装 `pincaimao-basic`,若未安装请先安装,然后加载它了解通用接口
Review and approve the pincaimao-basic skill before installing or loading it.