AI产品经理简历维护
ReviewAudited by ClawScan on May 10, 2026.
Overview
This resume-maintenance skill is mostly purpose-aligned, but its dashboard/export flow can execute unescaped resume-derived content and third-party CDN scripts, which deserves review before use.
Use this skill only if you are comfortable storing résumé/worklog data in the local career/ai-pm-campus workspace. Before using visualize or export, consider fixing the dashboard to avoid unsanitized innerHTML and to use local or integrity-pinned frontend libraries instead of live CDN scripts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted résumé, worklog, or points-pool entry could run JavaScript when the local dashboard is opened or used during PDF export, potentially changing the preview or sending résumé contents elsewhere.
Gap text is extracted from local Markdown inputs and inserted into the generated dashboard using innerHTML without escaping or DOMPurify sanitization for that field.
container.innerHTML = gaps.map(gap => `... <span class="text-gray-700">${gap}</span> ...`).join('');Render all user-derived values with textContent or explicit HTML escaping, sanitize every innerHTML insertion, and safely escape JSON embedded inside script tags.
If a CDN asset changes or is compromised, third-party code could run in the résumé dashboard and access the displayed personal data.
The generated local dashboard loads third-party JavaScript from CDNs at runtime, including unpinned or integrity-unverified assets, while displaying personal résumé content.
<script src="https://cdn.tailwindcss.com"></script> ... <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script> ... <script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.8/dist/purify.min.js"></script>
Bundle vetted local copies of the libraries or pin exact versions with Subresource Integrity, and clearly disclose that opening the dashboard requires loading third-party scripts.
Personal résumé details, work logs, project labels, and gap analyses will remain on disk for later reuse.
The skill intentionally maintains a persistent local résumé/worklog/points repository across runs.
默认根目录:`career/ai-pm-campus/` ... `inputs/worklog/` ... `inputs/points-pool/master-points.md` ... `outputs/resume-onepage.md` ... 输出必须落盘写文件
Keep the workspace private, avoid storing unnecessary sensitive details, and review or delete generated files before sharing or syncing the directory.