Skills
skills/easyvibecoding/vibe-resume/ai-used-resume/Gen Agent Trust Hub

ai-used-resume

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill extensively uses shell commands via uv run vibe-resume to handle data extraction, aggregation, enrichment, and rendering of the résumé files.
  • [EXTERNAL_DOWNLOADS]: The instructions guide the agent to clone the source repository from the author's GitHub (https://github.com/easyvibecoding/vibe-resume) and perform a local installation if the CLI is missing.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests untrusted data from the local environment and external sources for processing.
  • Ingestion points: Local git repository histories, AI tool usage logs (e.g., ~/.claude/projects), and user-provided Job Description text files.
  • Boundary markers: The skill instructions include behavioral constraints such as "never invent activities" and "never hallucinate," though it does not specify technical data delimiters.
  • Capability inventory: Shell execution via uv, filesystem read/write access for data caching and résumé output, and optional network interaction through the claude CLI for LLM-based enrichment.
  • Sanitization: There is no mention of automated sanitization or filtering for the content extracted from git commits or AI logs before it is used in prompts.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 03:48 PM
Security Audit — agent-trust-hub — ai-used-resume