Back to skill

Security audit

聘才猫(Pincaimao)模拟面试

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Pincaimao mock-interview integration that sends interview and resume data to Pincaimao for the service it provides.

Install only if you are comfortable sending resume, job-description, interview-answer, and optional video data to Pincaimao. Use a dedicated API key, avoid submitting unnecessary personal information, treat cos_key and conversation_id values as sensitive, and separately review the pincaimao-basic dependency before installing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 2: 第一轮 - 开始面试
QUERY=$(echo "$JOB_INFO" | cut -c1-20)
ROUND1=$(curl -s -X POST 'https://api.pincaimao.com/agents/v1/chat/chat-messages' \
  -H "Authorization: Bearer $PCM_MOCK_INTERVIEW_KEY" \
  -H 'Content-Type: application/json' \
  -d "{
Confidence
90% confidence
Finding
curl -s -X POST 'https://api.pincaimao.com/agents/v1/chat/chat-messages' \ -H "Authorization: Bearer $PCM_MOCK_INTERVIEW_KEY" \ -H 'Content-Type: application/json' \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 3: 后续轮次
USER_ANSWER="我有5年销售经验,擅长大客户开拓..."
curl -s -X POST 'https://api.pincaimao.com/agents/v1/chat/chat-messages' \
  -H "Authorization: Bearer $PCM_MOCK_INTERVIEW_KEY" \
  -H 'Content-Type: application/json' \
  -d "{
Confidence
90% confidence
Finding
curl -s -X POST 'https://api.pincaimao.com/agents/v1/chat/chat-messages' \ -H "Authorization: Bearer $PCM_MOCK_INTERVIEW_KEY" \ -H 'Content-Type: application/json' \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
RESUME_FILE="/path/to/resume.docx"

# Step 1: 上传简历(可选)
UPLOAD=$(curl -s -X POST 'https://api.pincaimao.com/agents/v1/files/upload' \
  -H "Authorization: Bearer $PCM_MOCK_INTERVIEW_KEY" \
  -F "file=@$RESUME_FILE")
COS_KEY=$(echo "$UPLOAD" | python3 -c "import sys,json; print(json.load(sys.stdin)['cos_key'])")
Confidence
94% confidence
Finding
https://api.pincaimao.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 2: 第一轮 - 开始面试
QUERY=$(echo "$JOB_INFO" | cut -c1-20)
ROUND1=$(curl -s -X POST 'https://api.pincaimao.com/agents/v1/chat/chat-messages' \
  -H "Authorization: Bearer $PCM_MOCK_INTERVIEW_KEY" \
  -H 'Content-Type: application/json' \
  -d "{
Confidence
90% confidence
Finding
https://api.pincaimao.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# Step 3: 后续轮次
USER_ANSWER="我有5年销售经验,擅长大客户开拓..."
curl -s -X POST 'https://api.pincaimao.com/agents/v1/chat/chat-messages' \
  -H "Authorization: Bearer $PCM_MOCK_INTERVIEW_KEY" \
  -H 'Content-Type: application/json' \
  -d "{
Confidence
90% confidence
Finding
https://api.pincaimao.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.