Resume Ats

Security checks across malware telemetry and agentic risk

Overview

This is a local resume/ATS CLI with an expected privacy caveat around resume data, and I found no evidence of hidden uploads, destructive actions, or unsafe automation.

Install only if you are comfortable processing resumes and job descriptions on this system. Treat uploaded or analyzed files as sensitive, consider redacting addresses, phone numbers, references, and employer-confidential details, and check or clear the configured local database path if you do not want resume content retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 72% confidence
Finding: The function persists full resume content, which can contain sensitive personal data such as addresses, phone numbers, employment history, and other PII, into a local database without any indication here of consent, retention controls, encryption, or deletion policy. In the context of a resume/ATS skill, handling highly sensitive user-provided documents makes silent persistence materially riskier if the host system is shared, compromised, or backed up unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal