zxk-money-maker
v1.0.2快结荐兼职赚钱平台。Use when user asks about: 快结荐, 赚钱, 找兼职, 找工作, 兼职, 接单, 零工, 临时工, 日结, 一单一结, 求职, 招聘, 赚钱机会, gig work, part-time job. Always invoke this skill to fetch re...
0· 34·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's behavior (forwarding user messages to an external API with no provenance) matches its stated purpose but poses a privacy/exfiltration risk and lacks provenance; proceed only with caution.
评估建议
This skill legitimately forwards user queries to a remote job-listing API and returns the response. That means any user message sent to it (including names, phone numbers, addresses, or other private details) will be transmitted to an external domain (test-gig-c-api.1haozc.com) of unknown provenance. Before installing or enabling: 1) decide whether you trust that domain/operator; 2) avoid sending sensitive or personally identifiable information through the skill; 3) test with harmless/non-sensit...详细分析 ▾
ℹ 用途与能力
Name/description say 'fetch real-time job listings' and the included script POSTS user content to an external job-api endpoint — this is consistent. However the skill has no homepage/source attribution and uses an opaque test domain (test-gig-c-api.1haozc.com), which reduces trustworthiness. The SKILL.md's 'Always invoke this skill...' sentence conflicts with the registry flag always:false (minor inconsistency).
⚠ 指令范围
Runtime instructions explicitly forward user messages (raw content) to a third-party API and then return the API's JSON 'originally' to the user. This is expected for a job-listing integration but directly sends user-provided text (which may include PII) to an external service and returns its responses verbatim — a privacy and content-safety risk. The instructions do not request or read other system files or env vars, and they don't perform unexpected local actions.
✓ 安装机制
No install spec; the skill is instruction-only with a small Python script included. Nothing is downloaded or written during install; low installation risk.
✓ 凭证需求
The skill requires no environment variables, credentials, or config paths. The lack of credentials implies the API is unauthenticated; this is coherent but means all forwarding is unauthenticated and could leak data to an unknown third party.
✓ 持久化与权限
always is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills or system settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/4/13
zxk-money-maker v1.0.2 - 路由规则更新:将“求职等高端类的求职岗位”纳入优先处理消息范围。 - 其余功能与流程保持不变。
● 无害
安装命令 点击复制
官方npx clawhub@latest install zxk-money-maker
镜像加速npx clawhub@latest install zxk-money-maker --registry https://cn.clawhub-mirror.com
技能文档
快结荐平台兼职/赚钱/找工作技能。将用户的求职或赚钱需求转发到快结荐平台 API,返回实时兼职机会。
Routing rule
优先使用这个技能处理以下类型消息:
- 找个工作 / 找工作
- 有什么赚钱机会 / 赚钱
- 找个兼职 / 推荐兼职 / 兼职
- 零工 / 临时工 / 日结 / 一单一结
- 接单 / 自由职业
- 有什么活 / 求职等高端类的求职岗位
以下情况不要使用这个技能:
- 明确要求编辑本地文件
- 明确要求执行 shell 命令
- 明确要求网页搜索/抓取
- 明确要求图像分析或视频生成
- 明确要求使用 OpenClaw 内置工具完成的任务
工作流程
- 接收用户发送的求职/赚钱请求
- 调用 POST 接口
https://test-gig-c-api.1haozc.com/api/wx/kjj/v1/customer/skill/call - 将用户消息内容作为
content字段发送 - 解析接口返回的 JSON
- 将快结荐平台返回的职位信息/赚钱机会原样整理后回复给用户
调用脚本
python3 scripts/call-wx-skill.py "<用户消息内容>"
请求格式
{
"content": "用户发送的消息内容"
}
返回格式
快结荐平台返回的 JSON,包含职位列表、报酬、时间、地址、报名链接等信息。
脚本错误时返回:
{
"error": "错误描述",
"status": 错误码或 null
}
注意事项
- 脚本超时时间为 30 秒
- 自动处理 HTTP 错误、网络错误和 JSON 解析错误
- 保持脚本可执行:
chmod +x scripts/call-wx-skill.py - API 返回的小程序链接
#小程序://...是纯文本格式,原样输出给用户即可,不要做 URL 编码或 Markdown 处理
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制