Medical CV/Resume Builder

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a medical CV/resume writing helper, but its own audit evidence indicates unresolved scope-boundary failures and overbroad activation language.

Review before installing. Use this only for medical CV/resume structuring, not general academic writing or medical advice, and confirm the skill has clear refusal boundaries for requests outside resume/CV work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The archived audit explicitly preserves a stress-case failure where the skill drifted outside its declared scope and missed required boundary guidance. For an academic-writing skill in a medical context, scope drift can cause the agent to produce content beyond formatting/structuring into higher-risk advisory or unsupported professional material, undermining safety claims.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The file declares security PASS and deployable status while also containing preserved evidence of scope-control and boundary failures elsewhere in the same audit. That mismatch is dangerous because downstream reviewers or automated promotion systems may trust the PASS posture and deploy a skill whose controls are known to be incomplete.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation language is broad enough to cover many generic academic-writing requests, which weakens routing precision and increases the chance the skill is selected for tasks outside its intended narrow CV/resume use. In this context, overbroad triggering is more dangerous because the domain is medical/academic, where outputs can be mistaken for authoritative professional content.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The alternate invocation phrasing overlaps with common academic-writing workflows and can cause the skill to activate in situations far beyond resume/CV building. This broad matching increases the likelihood of accidental misuse and boundary bypass, especially when combined with documented stress-case scope failures.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal