ClawHub
Back to skill
v1.0.1

聘才猫(Pincaimao)简历优化

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:24 AM.

Analysis

The resume-optimization function is mostly clear, but the skill also tells the agent to install and load another undeclared skill before use, which users should review carefully.

GuidanceReview the additional `pincaimao-basic` dependency before allowing installation or loading. If you proceed, confirm the resume file and job description each time, because the workflow uploads personal resume data to Pincaimao and stores uploaded files on its cloud storage.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
**REQUIRED:** 请先检查是否已安装 `pincaimao-basic`,若未安装请先安装,然后加载它了解通用接口

The skill directs the agent to install and load another skill before use, but the reviewed artifacts do not define that dependency's source, version, or review boundary.

User impactInstalling an additional, undeclared skill could change the agent's behavior beyond this resume-optimization skill.
RecommendationOnly proceed if you intentionally trust and review `pincaimao-basic`; the publisher should declare the dependency with a pinned source/version or require explicit user approval before installation.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
UPLOAD=$(curl -s -X POST 'https://api.pincaimao.com/agents/v1/files/upload' ... -F "file=@$RESUME_FILE")

The documented workflow uses Bash/curl to upload the user's resume file to the Pincaimao API; this is purpose-aligned but sensitive.

User impactYour resume content and target-job information will be sent to Pincaimao for processing.
RecommendationConfirm the exact resume file and job description before invoking the skill, and avoid sending documents you do not want processed by Pincaimao.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
**环境变量**:`PCM_RESUME_OPTIMIZE_KEY`(智能体专属 key)

The skill requires a Pincaimao API key and passes it in the Authorization header; this is expected for the service integration.

User impactThe agent can call Pincaimao APIs using the configured key.
RecommendationUse a dedicated, least-privileged API key if available and rotate it if you suspect exposure.