ClawHub

聘才猫(Pincaimao)劳动合同卫士

Security checks across malware telemetry and agentic risk

Overview

This skill appears to analyze labor contracts by sending them to a third-party API, which is purpose-aligned but sensitive enough to require careful review.

Install only if you are comfortable sending labor contracts or pasted contract text to api.pincaimao.com. Redact personal, salary, address, and confidential business terms where possible, verify the provider's retention and deletion policies, and avoid using it for contracts you are not allowed to share with external services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

External Transmission

Medium
Category
Data Exfiltration
Content
CONTRACT_FILE="/path/to/contract.docx"

# Step 1: 上传合同文件
UPLOAD=$(curl -s -X POST 'https://api.pincaimao.com/agents/v1/files/upload' \
  -H "Authorization: Bearer $PCM_LABOR_CONTRACT_KEY" \
  -F "file=@${CONTRACT_FILE}")
COS_KEY=$(echo "$UPLOAD" | python3 -c "import sys,json; print(json.load(sys.stdin)['cos_key'])")
Confidence
95% confidence
Finding
https://api.pincaimao.com/

External Transmission

Medium
Category
Data Exfiltration
Content
'response_mode': 'blocking'
}).encode()
req = urllib.request.Request(
    'https://api.pincaimao.com/agents/v1/chat/chat-messages',
    data=payload,
    headers={'Authorization': f'Bearer {key}', 'Content-Type': 'application/json'}
)
Confidence
94% confidence
Finding
https://api.pincaimao.com/

External Transmission

Medium
Category
Data Exfiltration
Content
'response_mode': 'blocking'
}).encode()
req = urllib.request.Request(
    'https://api.pincaimao.com/agents/v1/chat/chat-messages',
    data=payload,
    headers={'Authorization': f'Bearer {key}', 'Content-Type': 'application/json'}
)
Confidence
94% confidence
Finding
https://api.pincaimao.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal