xzk-money-maker
v1.0.4快结荐兼职赚钱平台。Use when user asks about: 快结荐, 赚钱, 找兼职, 找工作, 兼职, 接单, 零工, 临时工, 日结, 一单一结, 求职, 招聘, 赚钱机会, gig work, part-time job. Always invoke this skill to fetch re...
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description claim to fetch gig/part-time job listings; the SKILL.md and the included script both POST the user's message to a backend API and return the JSON response. No unrelated binaries, env vars, or config paths are requested — the requested capabilities match the stated purpose.
Instruction Scope
Instructions are narrowly scoped to sending the user's message as the 'content' field to the specified API and returning the API response. This is consistent with the purpose, but it does mean arbitrary user-provided text (which might include PII or sensitive info) is transmitted to the third-party server. The SKILL.md does not instruct reading any local files or other environment state.
Install Mechanism
There is no install spec; the skill is instruction-only aside from a small Python script included in the package. Nothing is downloaded or extracted during install, so install risk is low.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the script does not use any secrets. The lack of requested credentials is proportionate to its simple network-forwarding behavior.
Persistence & Privilege
The skill is not set to always:true and requests no elevated privileges. However, the platform default allows autonomous invocation; combined with the skill's behavior of sending user messages to an external host, that means the agent could call the external API automatically when triggered by matching user queries. This is expected but worth considering from a privacy perspective.
Assessment
This skill forwards whatever the user types to https://test-gig-c-api.1haozc.com and returns the API response. That matches its stated purpose, but before installing consider: (1) The endpoint looks like a third‑party or test host — verify you trust the domain and its operator. (2) Do not allow the skill to forward sensitive personal data (IDs, phone numbers, addresses) without user consent. (3) Test the skill with non-sensitive queries first to confirm behavior. (4) If you want tighter control, disable autonomous invocation or require explicit user confirmation before the skill is called. (5) If you need stronger assurance, ask the publisher for documentation or use an official/known provider instead.Like a lobster shell, security has layers — review code before you run it.
latestvk97003506bsfkbqrhv17c7bw2x84rte3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.