v1.0.1

聘才猫（Pincaimao）简历诊断

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:26 AM.

Analysis

This appears to be a legitimate Pincaimao resume-diagnosis API wrapper, but it uploads sensitive resume and job-description data to Pincaimao and relies on an API key plus a separate helper skill.

GuidanceInstall this only if you are comfortable sending the selected resume and job description to Pincaimao for processing. Review the separate pincaimao-basic dependency, keep the API key private, confirm the exact file before upload, and check provider privacy/retention requirements for candidate data.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

allowed-tools:\n  - Bash ... curl -s -X POST 'https://api.pincaimao.com/agents/v1/files/upload'

The skill uses Bash/curl to upload a selected resume file and call the external API. This is expected for the stated API workflow, but it is still local command execution that transmits user-selected data.

User impactIf the wrong file or job description is selected, the agent could upload unintended information to the provider.

RecommendationConfirm the exact resume file and job description before use, and avoid adapting the example commands to broader file paths or unattended batch uploads.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

请先检查是否已安装 `pincaimao-basic`，若未安装请先安装，然后加载它

The skill depends on a separate pincaimao-basic skill for common API behavior, but that dependency is not included in the provided artifacts. It appears purpose-aligned, but it expands the reviewed surface.

User impactInstalling or loading the helper skill may introduce additional instructions, permissions, or network behavior not visible in this artifact set.

RecommendationReview the pincaimao-basic skill, its source, version, and permissions before installing or allowing the agent to load it.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

PCM_RESUME_DIAGNOSIS_KEY ... Authorization: Bearer $PCM_RESUME_DIAGNOSIS_KEY

The skill requires a Pincaimao API key from the environment and uses it as a bearer token for API calls. This is expected for the integration and is not hardcoded in the artifact.

User impactRequests are made under the user's Pincaimao credentials, and exposure of the key could allow unauthorized API use.

RecommendationStore the key only as an environment variable, do not paste it into chat or logs, and rotate it if it may have been exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

Resume files, job descriptions, and contract text are transmitted to `api.pincaimao.com` for AI processing ... Uploaded files are stored on Pincaimao's COS

The artifact explicitly discloses that sensitive documents are sent to Pincaimao and stored in its cloud object storage. This is central to the skill's purpose, but users should treat it as a privacy boundary.

User impactCandidate personal data and job details leave the local environment and may remain stored by the provider; leaked cos_key values could be sensitive.

RecommendationUse the skill only with authorization to share the resume and job description, review Pincaimao's privacy and retention terms, and protect returned cos_key values.