Back to skill

Security audit

UseResume

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for a resume and cover-letter API, with the main caution that personal documents and API credentials need careful handling.

Install only if you are comfortable sending resume, cover-letter, job-description, and uploaded document contents to useresume.ai. Treat USERESUME_API_KEY as a secret, avoid unnecessary personal details, review the provider's privacy and retention practices, and verify the npm package provenance before global installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly encourages parsing and uploading resumes and cover letters from local files or remote URLs, but provides no warning that these documents commonly contain highly sensitive personal data and will be transmitted to an external API. In an agent context, this omission increases the risk of users or downstream agents sending personal documents to a third-party service without informed consent or data-handling awareness.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README tells users to export an API key into an environment variable but does not warn that the value is a secret credential that should be protected from logs, screenshots, shell history, and accidental commits. This is a real but low-severity documentation security issue because poor secret-handling guidance can lead to credential exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill is explicitly designed to send highly sensitive personal data in resumes and cover letters to the useresume.ai API, but the documentation does not clearly warn users that their personal information will leave the local environment. This creates a meaningful privacy and compliance risk because users may unknowingly transmit PII such as addresses, phone numbers, employment history, and possibly nationality or date of birth to a third-party service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The parse command examples accept local files and public URLs, but they do not clearly disclose that the referenced document contents are uploaded to a remote service for parsing. This is dangerous because users may assume local parsing and provide confidential resumes or cover letters without understanding that the full document will be transmitted off-host.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.