📦 nexus-talent-assessor — 实用工具
v2.1.2使用 技能 gap 分析, 360-feedback, 和 career path recommendations.
0· 131·0 当前·0 累计
by @shuwanito 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated HR assessment purpose is plausible, but its runtime instructions and metadata are vague about data sources and integrations while allowing broad access (web-fetch, web-search, filesystem) and referencing a proprietary ecosystem with no declared credentials or provenance — this mismatch warrants caution.
评估建议
This skill looks like a legitimate HR assessment helper, but it gives the agent broad ability to read local files and fetch from the web while remaining vague about which sources are allowed and how sensitive data is handled. Before installing: (1) confirm the skill's provenance and whether 'NEXUS AI Corp' is a real vendor and where data is sent; (2) restrict or approve the allowed-tools scope (disable or limit filesystem/web-fetch if you don't want local files or external posting); (3) require ...详细分析 ▾
ℹ 用途与能力
The name and description (HR talent assessments, 360 feedback, career recommendations) align with the workflow in SKILL.md. However the metadata repeatedly references a proprietary 'NEXUS AI Corp ecosystem' and department-specific engines without declaring any required credentials, endpoints, or integration details — an unexplained dependency.
⚠ 指令范围
SKILL.md explicitly allows use of web-search, web-fetch, and filesystem. The workflow requires cross-validation with 'minimum 2 independent sources' and 'department-specific engines' but does not restrict or document what sources are acceptable (internal HR files, public web, third-party APIs). That gives the agent broad discretion to read local files and fetch/send data externally, which increases risk of accidental exposure of sensitive employee data.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files, so it does not write or execute new binaries on disk. That minimizes install-time risk.
ℹ 凭证需求
The skill requests no environment variables or credentials, which is proportionate to an instruction-only agent. However the metadata's claim of compatibility with a named corporate ecosystem and 'department-specific engines' suggests it may normally require credentials or endpoints; the absence of declared credentials is an unexplained inconsistency.
✓ 持久化与权限
always is false and there are no install hooks or instructions to modify other skills or system-wide settings. The primary privilege concern is the allowed-tools scope (filesystem/web-fetch) in the runtime instructions, not persistence or automatic installation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install nexus-talent-assessor
镜像加速npx clawhub@latest install nexus-talent-assessor --registry https://cn.longxiaskill.com