Back to skill

Security audit

Resume Parsing

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for resume parsing, but it automatically installs an unpinned package and creates local files containing sensitive resume data, so users should review it before installing.

Install only if you are comfortable with a first-run pip install of the latest pdfmuse package and with extracted resume contents being written to local Markdown, JSON, and CSV files. Use a controlled environment, preinstall and pin the dependency yourself if possible, and avoid processing resumes containing protected personal attributes unless you have consent and a clear retention policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return pdfmuse
    except ImportError:
        print("pdfmuse not found -- installing (one-time)...", file=sys.stderr)
        subprocess.run(
            [sys.executable, "-m", "pip", "install", "-q", "pdfmuse"],
            check=True,
        )
Confidence
91% confidence
Finding
subprocess.run( [sys.executable, "-m", "pip", "install", "-q", "pdfmuse"], check=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs use of shell commands and file read/write behavior, yet declares no permissions. This creates a transparency and policy-enforcement gap: an orchestrator or reviewer may treat the skill as lower risk than it is, while the workflow actually processes local files and writes extracted resume data to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented behavior materially differs from the advertised description: it installs an external package at runtime, produces intermediate markdown/sidecar data, and relies on the agent to semantically map resume content. This mismatch is dangerous because users may authorize the skill expecting a bounded parser, while it actually performs network-sensitive dependency installation and broader data handling than disclosed.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The README states that the extractor auto-installs pdfmuse on first run, which means the skill performs network-based dependency installation and executes newly installed code rather than only parsing local files. In a resume-processing skill, this expands the trust boundary and can expose users to supply-chain risk or unexpected package download/execution in environments that assume offline, local-only handling.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Runtime package installation is not necessary for the core purpose of parsing resumes and introduces network-based code acquisition into a document-processing workflow. If an attacker can influence package resolution, mirrors, or the environment, they may achieve arbitrary code execution under the user's privileges.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill processes resumes containing highly sensitive personal data, and the README says the model reads extracted Markdown for semantic mapping without clearly warning users about that privacy exposure. In recruiting workflows, this can lead users to submit PII, employment history, contact details, and other sensitive information to an LLM without informed consent or appropriate handling expectations.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation guidance is broad enough to trigger on many generic resume-related requests, including screening and recruiting workflows that may involve large sets of sensitive personal data. Overbroad routing increases the chance the skill is invoked when the user did not intend bulk local parsing and output generation, expanding unnecessary exposure of PII.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill processes resumes, which commonly contain highly sensitive personal data, and writes that data into multiple local artifacts such as JSON, markdown summaries, and CSV indexes. Failing to clearly warn about this can lead to inadvertent bulk extraction, retention, and wider local dissemination of PII than the user expects, especially in batch mode.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The schema explicitly directs extraction and storage of sensitive personal attributes such as birth date, gender, marital status, political status, ethnicity, and photo. In a resume-parsing/recruiting workflow, collecting these fields without a clear data-minimization rule, consent gate, or warning increases privacy, discrimination, and regulatory risk because downstream systems may retain or use protected-class data unnecessarily.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs an unprompted package installation with only a brief stderr message, reducing user awareness and consent for a security-sensitive action. In the context of processing potentially untrusted resumes, silently broadening execution to include network retrieval and package install increases operational risk and can violate least surprise and change-control expectations.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pdfmuse
Confidence
93% confidence
Finding
pdfmuse

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.