聘才猫(Pincaimao)劳动合同卫士
Analysis
The skill is a coherent Pincaimao contract-analysis API wrapper, but it asks the agent to install/load an undeclared helper skill and sends sensitive contract data to an external service.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
**REQUIRED:** 请先检查是否已安装 `pincaimao-basic`,若未安装请先安装,然后加载它了解通用接口(文件上传、鉴权、响应格式、SSE 解析模板)。
The skill requires installing and loading a separate helper skill that is not included in the reviewed file set and is not pinned to a source or version in the provided artifacts.
allowed-tools: - Bash
The skill permits Bash and documents `curl`/`python3` calls to the Pincaimao API. This is central to the API-wrapper purpose, but users should notice that the agent can run local commands to perform the upload/request flow.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
API key is read from environment variable and passed via `Authorization` header; never hardcoded
The skill uses a bearer API key for Pincaimao access. This is expected for the integration and is disclosed, but it is still delegated account/API authority.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
contract text are transmitted to `api.pincaimao.com` for AI processing - Uploaded files are stored on Pincaimao's COS (Cloud Object Storage); returned `cos_key` paths should be treated as sensitive
The skill clearly discloses external transmission and remote storage of contract content/files, which is purpose-aligned but involves sensitive employment/legal data.