Back to skill

Security audit

简历教练(深挖用户优势)

Security checks across malware telemetry and agentic risk

Overview

This resume-coach skill is coherent and non-executable, but it asks the agent to persist detailed personal career data without clear consent, retention, or deletion controls.

Install only if you are comfortable sharing resume-level personal details with your agent's memory system. Before use, ask the agent not to save phone numbers, email addresses, addresses, employer details, or other sensitive facts unless you explicitly approve, and disable memory or request deletion if your platform supports it. Consider replacing or removing the remote appreciation-code image if generated documents should not load external resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly advertises a memory function that records user information for later use, but it provides no notice about what data is stored, how long it is retained, who can access it, or how users can opt out. Because this skill collects highly sensitive career data such as work history, achievements, and potentially personal identifiers, silent retention increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow instructs the agent to save user information for future use without any built-in consent step or warning. In the context of a resume coach, the stored content may include employment history, education, project details, and other personal or confidential career information, making unauthorized or unexpected retention more dangerous.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow explicitly instructs saving a broad set of personal data, including contact details, education, work history, and project experience, but does not require a user-facing consent notice, retention policy, or clear opt-in before storage. In a resume-coaching skill, this creates meaningful privacy and compliance risk because the system is designed to aggregate highly identifying and sensitive career information over time.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.