聘才猫(Pincaimao)简历优化
Security checks across malware telemetry and agentic risk
Overview
This skill is coherent for resume optimization, but it will upload your resume and job description to Pincaimao and relies on a related base skill, so users should verify the service and dependency before use.
Before installing, make sure you trust Pincaimao and the referenced pincaimao-basic dependency. Use a dedicated API key, provide only the intended resume file and job description, and avoid sending highly sensitive personal information unless you are comfortable with Pincaimao processing and storing it.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may upload the resume file path it is given to Pincaimao using shell commands.
The skill grants Bash access and documents curl calls that upload a resume file and call the optimization API. This is expected for the skill purpose, but users should understand it can run local shell commands and send a chosen file over the network.
allowed-tools:\n - Bash ... curl -s -X POST 'https://api.pincaimao.com/agents/v1/files/upload'
Only provide resume files you intend to send to Pincaimao, and review the file path before approving execution.
Anyone who can use this environment variable can make authenticated Pincaimao API calls as the configured user or agent.
The skill uses a provider API key from an environment variable as a bearer token. This is expected for authenticated API access and there is no evidence of hardcoding or unrelated credential use.
环境变量:`PCM_RESUME_OPTIMIZE_KEY` ... -H "Authorization: Bearer $PCM_RESUME_OPTIMIZE_KEY"
Use a dedicated, least-privilege Pincaimao key and avoid sharing logs or terminals that expose the environment.
Installing or loading the referenced base skill could add extra instructions or capabilities not reviewed in this artifact set.
The skill instructs use of another skill, pincaimao-basic, but that dependency is not included in the manifest or install spec. This is a provenance gap rather than evidence of malicious behavior.
**REQUIRED:** 请先检查是否已安装 `pincaimao-basic`,若未安装请先安装,然后加载它
Review and install pincaimao-basic only from a trusted source before using this skill.
Personal resume data and job-description context will leave the local environment and be stored or processed by Pincaimao.
The skill clearly discloses that user documents and job descriptions are sent to the external provider and that uploaded files are stored remotely. This is purpose-aligned, but it is a sensitive data boundary users should notice.
Resume files, job descriptions, and contract text are transmitted to `api.pincaimao.com` ... Uploaded files are stored on Pincaimao's COS
Confirm that Pincaimao's privacy and retention terms are acceptable before sending sensitive resumes or personal information.