聘才猫(Pincaimao)在线面试
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill coherently wraps Pincaimao's online interview API, but it handles sensitive resume/interview data, uses a Pincaimao API key, and asks to rely on an additional Pincaimao skill.
Before installing, make sure you trust Pincaimao with candidate and interview data, review the referenced pincaimao-basic dependency, use a dedicated API key, and only provide callback URLs and resume files you intend to share.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use local command-line tools to send the selected resume and interview inputs to Pincaimao.
The skill exposes Bash and documents curl-based API calls, including uploading a local resume file. This is central to the stated API-wrapper purpose, but users should understand the agent is being instructed to run local shell/API commands.
allowed-tools: - Bash ... curl -s -X POST 'https://api.pincaimao.com/agents/v1/files/upload' ... -F "file=@$RESUME_FILE"
Confirm the resume path, job information, and endpoint before use; avoid providing files or paths that should not be uploaded.
Using this skill may depend on another skill's instructions and permissions.
The skill requires installing/loading another skill that is not part of the provided manifest. This appears purpose-aligned as a shared Pincaimao helper, but it adds an external dependency users should review separately.
**REQUIRED:** 请先检查是否已安装 `pincaimao-basic`,若未安装请先安装,然后加载它了解通用接口(文件上传、鉴权、响应格式、SSE 解析模板)。
Review and trust the pincaimao-basic skill before installing or loading it; prefer a known publisher/version when available.
API calls are made under the authority of the configured Pincaimao key.
The skill uses an environment-supplied API key as a bearer credential for Pincaimao API requests. This is expected for the integration and is not hardcoded.
`PCM_ONLINE_INTERVIEW_KEY`(智能体专属 key) ... Authorization: Bearer $PCM_ONLINE_INTERVIEW_KEY
Use a dedicated, revocable key with only the needed access, and do not paste the key into chats or files.
Resumes, job descriptions, video/interview content, and reports may leave the local environment and be stored or delivered through Pincaimao workflows.
The skill discloses that sensitive applicant/interview data is sent to Pincaimao, uploaded files are stored in Pincaimao cloud object storage, and a callback URL can receive the generated report.
`inputs.url_callback` ... 报告生成后的回调 URL(POST,返回 base64 编码报告) ... Resume files, job descriptions, and contract text are transmitted to `api.pincaimao.com` ... Uploaded files are stored on Pincaimao's COS
Only use this with candidate data you are allowed to share with Pincaimao; verify any callback URL carefully and understand retention/deletion practices before uploading sensitive files.