by 安全扫描
OpenClaw
安全
high confidence该技能声明的要求(curl、jq、XIAOBA_API_KEY)及其运行指令与其声明的调用Xiaoba(ibaguo)面试API的目的相符;所请求的内容无不当或无关的要求。
评估建议
This skill is coherent with its purpose, but before installing consider: (1) Trustworthiness of the service (https://www.ibaguo.com) — you will send candidate names, phone numbers, resumes, transcripts and other PII to that external API; verify privacy policy and data retention. (2) Treat XIAOBA_API_KEY as a secret: do not paste it into chat, rotate and scope the key if possible, and avoid embedding it in logs. (3) Ensure curl and jq are installed on the agent host and that network egress to htt...详细分析 ▾
✓ 用途与能力
Name/description claim to call the ibaguo interview API; required binaries (curl, jq) and the single required env var (XIAOBA_API_KEY) are appropriate and expected for making HTTP API calls.
✓ 指令范围
SKILL.md contains only curl-based request templates to the documented base URL and describes endpoints for plans, candidates, and sessions. It uses only the declared XIAOBA_API_KEY and does not instruct the agent to read unrelated files, other env vars, or system configuration. It does transmit candidate info and transcripts to the external API (expected for this skill) — be aware of privacy/PII implications.
✓ 安装机制
Instruction-only skill with no install spec or code files. This is lowest-risk for arbitrary code installation.
✓ 凭证需求
Only one credential is required: XIAOBA_API_KEY (declared as primaryEnv). That matches the API's documented Authorization: Bearer header usage and is proportionate to the functionality.
✓ 持久化与权限
Skill is not marked always:true and does not request elevated or persistent system presence. It does not modify other skills or system-wide settings in the provided instructions.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/19
xiaoba-interview-api Skill 的初始版本: - 提供访问 Xiaoba AI 面试开放 API 的权限,用于面试规划、候选人管理和会话/结果处理。 - 支持创建、查询和生成面试计划。 - 允许创建和列出候选人,包括候选人详细信息。 - 支持安排面试会话和检索面试结果。 - 使用需要通过 `XIAOBA_API_KEY` 环境变量获取 API 密钥。 - 包括 bash + curl + jq 请求模板,用于所有核心工作流。
● 无害
安装命令
点击复制官方npx clawhub@latest install xiaoba-ai-interview
镜像加速npx clawhub@latest install xiaoba-ai-interview --registry https://cn.longxiaskill.com 镜像可用
技能文档
小芭 AI 面试开放 API(ibaguo)Skill 你可以用此 Skill 在你的工作流里调用小芭 AI 面试开放 API,完成:
- 面试计划(Interview Plans):创建/生成/查询
- 候选人(Candidates):创建/查询
- 面试会话(Sessions):发起面试、获取面试结果
认证与基础信息
- 基础 URL:
https://www.ibaguo.com/api/v1 - 认证方式:HTTP Header
Authorization: Bearer- 请将 API Key 放在环境变量
XIAOBA_API_KEY中(不要把 Key 写进对话或日志)。
统一请求模板(bash + curl)
优先使用下面的模板发起请求(同时用jq 美化输出):
BASE_URL="https://www.ibaguo.com/api/v1"
# GET 示例
curl -sS "$BASE_URL/plans?limit=20&offset=0" \
-H "Authorization: Bearer $XIAOBA_API_KEY" \
-H "Accept: application/json" | jq
# POST 示例(JSON Body)
curl -sS "$BASE_URL/plans" \
-H "Authorization: Bearer $XIAOBA_API_KEY" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{"name":"测试计划","questions":"自我介绍\\n项目经历\\n算法题","interview_style":"standard","job_title":"后端工程师","job_description":"负责核心服务开发","duration_minutes":15}' | jq
1) 面试计划(Interview Plans)
1.1 获取面试计划列表
- 方法:
GET - 路径:
/plans - Query 参数:
limit(可选,默认 20)
- offset(可选)
- status(可选)
curl -sS "$BASE_URL/plans?limit=20&offset=0&status=active" \
-H "Authorization: Bearer $XIAOBA_API_KEY" \
-H "Accept: application/json" | jq
1.2 创建面试计划
- 方法:
POST - 路径:
/plans - Body(JSON)字段(来自截图文档):
name(必填):计划名称
- questions:面试问题文本(用换行分隔)
- job_title:职位名称
- job_description:职位描述
- interview_style:standard | strict | gentle
- duration_minutes:时长(分钟,示例为 15)
curl -sS "$BASE_URL/plans" \
-H "Authorization: Bearer $XIAOBA_API_KEY" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{ "name":"后端工程师-一面", "questions":"自我介绍\\n项目经历\\n并发/锁\\n数据库索引\\n系统设计", "job_title":"后端工程师", "job_description":"负责核心服务开发与性能优化", "interview_style":"standard", "duration_minutes":15 }' | jq
1.3 根据要求自动生成面试计划
- 方法:
POST - 路径:
/plans/generate - Body(JSON)字段:
requirements(必填):岗位/能力要求描述
- count:题目数量(示例为 5)
curl -sS "$BASE_URL/plans/generate" \
-H "Authorization: Bearer $XIAOBA_API_KEY" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{"requirements":"后端工程师,熟悉 Java/Spring,MySQL,Redis,具备高并发经验","count":5}' | jq
2) 候选人(Candidates)
2.1 获取候选人列表
- 方法:
GET - 路径:
/candidates
curl -sS "$BASE_URL/candidates" \
-H "Authorization: Bearer $XIAOBA_API_KEY" \
-H "Accept: application/json" | jq
2.2 创建候选人
- 方法:
POST - 路径:
/candidates - Body(JSON)字段:
name(必填):候选人姓名
- phone(必填):手机号
- email(可选):邮箱
- plan_id:面试计划 ID
- resume_data:简历数据(JSON 对象)
curl -sS "$BASE_URL/candidates" \
-H "Authorization: Bearer $XIAOBA_API_KEY" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{ "name":"张三", "phone":"13900139000", "email":"zhangsan@example.com", "plan_id":"c711d961-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }' | jq
备注:响应里通常会包含candidate.id/status,以及面试链接(示例字段:interview_url)。
3) 面试会话(Sessions)
3.1 发起/调度面试
- 方法:
POST - 路径:
/sessions - Body(JSON)字段:
plan_id(必填)
- candidate_id(必填)
- scheduled_at:计划时间(ISO 8601)
curl -sS "$BASE_URL/sessions" \
-H "Authorization: Bearer $XIAOBA_API_KEY" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{ "plan_id":"c711d961-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "candidate_id":"2ead313b-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "scheduled_at":"2026-04-25T18:08:08Z" }' | jq
id、status(如 scheduled)以及 interview_url(候选人打开即可开始面试)。
3.2 获取面试结果
- 方法:
GET - 路径:
/sessions/:id/result
SESSION_ID="uuid-here"
curl -sS "$BASE_URL/sessions/$SESSION_ID/result" \
-H "Authorization: Bearer $XIAOBA_API_KEY" \
-H "Accept: application/json" | jq
overall_score(总分与等级)detailed_analysis(详细分析)recommendations(建议)transcript(对话记录)
推荐工作流(最常见)
POST /plans或POST /plans/generate得到plan_idPOST /candidates创建候选人得到candidate_idPOST /sessions创建会话得到session_id与interview_url- 面试结束后:
GET /sessions/:id/result拉取结果并整理
安全注意事项
- 不要在对话中输出
XIAOBA_API_KEY或完整请求头。 - 若需要记录日志,仅记录 URL 路径、HTTP 方法、以及脱敏后的响应摘要。