ℹ
Purpose & Capability
The skill's name/description (create/tailor resumes as editable HTML and export PDFs) aligns with the included scripts and templates. However, the package metadata claims no required binaries even though the scripts expect system tools (Chrome/headless, pdftoppm/ImageMagick, pdfinfo) or Python packages (pymupdf, pypdf). This is a mild mismatch: the functionality legitimately needs these binaries, but they are not declared in requirements.
!
Instruction Scope
SKILL.md instructs running local scripts to render HTML→PDF and PDF→images and explicitly requires using an image-reading (vision) tool to interpret PDF page images. The HTML templates include external references (Google Fonts, Font Awesome CDN, and an OSS-hosted image URL). When Chrome renders templates it will fetch those remote assets, causing network activity not called out in metadata/instructions and creating a pathway for network-based exposure of rendering requests. The combination of converting user PDFs to images and instructing the agent to use image-understanding tools also creates a clear data-flow path where private resume images could be sent to remote vision APIs depending on agent tooling.
✓
Install Mechanism
There is no install spec (instruction-only + scripts included). No remote installers or archive downloads are present, which is lower risk. The included Python scripts are readable and do not contain obvious obfuscated or network-exfiltration code.
ℹ
Credentials
The skill requests no credentials or environment variables. That's proportionate. However, templates contain external URLs (fonts, icons, photos) that will be fetched at render-time. That network activity is not represented as a declared dependency and could leak information about when/where rendering happened or cause the renderer to reach out to third-party servers.
✓
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-level privileges or alter other skills' configs. It runs as-needed scripts and therefore does not request elevated persistence privileges.
What to consider before installing
This skill appears to implement its stated purpose, but review and mitigate the following before installing or using it:
- External asset fetching: the HTML templates reference Google Fonts, Font Awesome, and an OSS photo URL. Rendering via headless Chrome will fetch those resources from the network; if you need fully offline rendering, remove or inline external assets.
- Local binary requirements: the scripts expect headless Chrome (chrome/chrome.exe), and optionally Poppler (pdftoppm), ImageMagick (magick), pdfinfo, or Python packages (pymupdf, pypdf). Ensure these are installed and available, or the scripts will fail. The skill metadata does not declare these, so plan for them.
- Privacy of resume content: the workflow converts PDFs to images and instructs the agent to use image-understanding tools. Verify where image-understanding is performed — if it uses cloud vision APIs, your users' resumes (personal data) may be transmitted externally. If you want to avoid that, run the vision step with an offline tool or keep processing local.
- Run in an isolated environment: because rendering will run subprocesses and invoke Chrome, consider running the skill in a sandboxed/isolated environment with limited network access if you are concerned about data leakage.
- Small code review: the included Python scripts use subprocess calls but pass arguments as lists (no shell string interpolation), which reduces command-injection risk. Still, avoid passing untrusted template content or filenames with unexpected characters; validate/escape filenames if you integrate externally.
If you want to proceed: remove or replace remote assets in templates (inline fonts/images), ensure binaries are installed locally, and confirm the vision tool used for reading images is configured to process data locally (or you accept cloud processing).
