Resume/CV Creator
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses reputable Node.js packages (
docx,pdf-lib,natural,mammoth) for document manipulation and keyword analysis. These are standard dependencies for the stated functionality. - [SAFE]: File system operations are limited to
fs.writeFileSync, which is used exclusively to save the generated documents to the local disk. There are no signs of path traversal or unauthorized file access. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection as it processes untrusted user data (resume content and job descriptions) and interpolates it directly into various output formats.
- Ingestion points: User-provided
resumeDataandjobDescriptionstrings. - Boundary markers: Absent. The data is directly embedded into document templates.
- Capability inventory: Local file writing (
fs.writeFileSync). No network access or command execution capabilities are present. - Sanitization: The
generateHTMLResumefunction lacks HTML entity encoding, meaning user-supplied scripts could be embedded in the output HTML. However, without network exfiltration or shell access, the impact is localized.
Audit Metadata