快结荐兼职赚钱平台。Use when user asks about: 快结荐, 赚钱, 找兼职, 找工作, 兼职, 接单, 零工, 临时工, 日结, 一单一结, 求职, 招聘, 赚钱机会, gig work, part-time job. Always invoke this skill to fetch re...
Security Analysis
medium confidenceThe skill's behavior (forwarding user messages to an external API with no provenance) matches its stated purpose but poses a privacy/exfiltration risk and lacks provenance; proceed only with caution.
Name/description say 'fetch real-time job listings' and the included script POSTS user content to an external job-api endpoint — this is consistent. However the skill has no homepage/source attribution and uses an opaque test domain (test-gig-c-api.1haozc.com), which reduces trustworthiness. The SKILL.md's 'Always invoke this skill...' sentence conflicts with the registry flag always:false (minor inconsistency).
Runtime instructions explicitly forward user messages (raw content) to a third-party API and then return the API's JSON 'originally' to the user. This is expected for a job-listing integration but directly sends user-provided text (which may include PII) to an external service and returns its responses verbatim — a privacy and content-safety risk. The instructions do not request or read other system files or env vars, and they don't perform unexpected local actions.
No install spec; the skill is instruction-only with a small Python script included. Nothing is downloaded or written during install; low installation risk.
The skill requires no environment variables, credentials, or config paths. The lack of credentials implies the API is unauthenticated; this is coherent but means all forwarding is unauthenticated and could leak data to an unknown third party.
always is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills or system settings.
Guidance
This skill legitimately forwards user queries to a remote job-listing API and returns the response. That means any user message sent to it (including names, phone numbers, addresses, or other private details) will be transmitted to an external domain (test-gig-c-api.1haozc.com) of unknown provenance. Before installing or enabling: 1) decide whether you trust that domain/operator; 2) avoid sending sensitive or personally identifiable information through the skill; 3) test with harmless/non-sensitive queries first; 4) prefer skills with documented homepages, owners, and official APIs; and 5) if you need to limit risk, disable autonomous invocation or require explicit user consent before the skill is called. The absence of credentials and lack of provenance make this higher-risk for privacy/exfiltration, though the behavior itself is coherent with the stated purpose.
Latest Release
v1.0.2
zxk-money-maker v1.0.2 - 路由规则更新:将“求职等高端类的求职岗位”纳入优先处理消息范围。 - 其余功能与流程保持不变。
Popular Skills
Published by @heqq-github on ClawHub
