Back to skill

Security audit

Digital Identity, CV & Resume Creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent CV-publishing integration, but users should understand that it sends resume data to Talent.de and can create a persistent public profile link.

Install only if you are comfortable sending provided resume details to Talent.de and creating a persistent online CV URL. Keep human review enabled for normal use, do not include government IDs, passwords, financial details, or confidential business information, and protect claim tokens and any TALENT_ACCESS_ID as secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill advertises very broad trigger conditions for anything involving resumes, CVs, or online professional profiles, without clear exclusions or scoping. This can cause over-invocation of a networked skill that publishes personal data to a public URL, increasing the chance of unintended data disclosure or use in contexts where the user only wanted advice, editing, or local document help.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly advertises `skip_hitl: true` as a way to publish a CV directly with no human review, which creates a workflow bypass for any agent or integration that is supposed to require user confirmation before publication. In this skill context, CVs may contain sensitive personal data and generate permanent public URLs, so normalizing a no-review path increases the risk of accidental or unauthorized publication if an agent chooses convenience over consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.