聘才猫(Pincaimao)模拟面试
Security checks across malware telemetry and agentic risk
Overview
This is a coherent Pincaimao mock-interview API skill, but users should notice that it sends resumes/interview data to Pincaimao, uses an API key, and asks to install/load a separate Pincaimao basic skill.
Before installing, make sure you are comfortable sending resume/interview data to Pincaimao, use a dedicated API key, and separately review the required pincaimao-basic dependency if it is not already installed.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use shell commands to upload files and call the Pincaimao API as part of the interview workflow.
The skill exposes Bash and documents curl-based API calls. This is central to the skill's purpose, but it means the agent can make authenticated network requests when using the skill.
allowed-tools: - Bash ... curl -s -X POST 'https://api.pincaimao.com/agents/v1/chat/chat-messages'
Use the skill only for intended Pincaimao interview sessions and review the job/resume data before allowing it to be sent.
API actions are performed under the account associated with the configured Pincaimao key.
The skill requires an API key and uses it as a Bearer token for Pincaimao API access. This is disclosed and expected for the service integration.
Requires PCM_MOCK_INTERVIEW_KEY env var. ... -H "Authorization: Bearer $PCM_MOCK_INTERVIEW_KEY"
Use a dedicated key with the minimum needed access, keep it out of shared logs, and rotate it if it may have been exposed.
Using this skill may require trusting an additional Pincaimao-related skill that was not included in the reviewed artifact set.
The skill depends on another skill, pincaimao-basic, and instructs installation/loading if absent, but the provided artifacts do not pin a source or version for that dependency.
**REQUIRED:** 请先检查是否已安装 `pincaimao-basic`,若未安装请先安装,然后加载它了解通用接口(文件上传、鉴权、响应格式、SSE 解析模板)。
Review the pincaimao-basic skill separately and install it only from a trusted source/version.
Personal resume, job, answer, and possibly video data may leave the local environment and be processed or stored by Pincaimao.
The skill clearly discloses that sensitive user-provided documents and interview context are sent to an external provider and that uploaded files are stored there.
Resume files, job descriptions, and contract text are transmitted to `api.pincaimao.com` for AI processing - Uploaded files are stored on Pincaimao's COS (Cloud Object Storage); returned `cos_key` paths should be treated as sensitive
Do not submit highly sensitive information unless you trust Pincaimao's handling of it; treat returned cos_key values and conversation identifiers as sensitive.