agent-resume
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to build and execute shell commands using the resumy CLI tool. It maps untrusted user data (candidate background, experience, and job descriptions) directly to command-line flags such as --summary and --experience. The instructions provide no mechanisms for sanitizing or escaping shell metacharacters, which allows for potential command injection if the user input contains malicious sequences (e.g., backticks or semicolons) designed to break out of double quotes.
- [EXTERNAL_DOWNLOADS]: In references/resumy-cli.md, the skill provides instructions for the agent to execute bunx playwright install chromium as a fallback for PDF generation. This triggers a runtime download and installation of an external browser binary. While Playwright is a well-known tool, runtime binary installations are a significant security surface.
- [PROMPT_INJECTION]: The skill ingests and processes untrusted data from existing resumes, profiles, and job descriptions, making it susceptible to indirect prompt injection. Maliciously crafted content in these documents could influence the agent's behavior or cause it to generate harmful command-line arguments.
- Ingestion points: Candidate artifacts (resumes, notes, portfolios) and target job descriptions (SKILL.md, intake-and-tailoring.md).
- Boundary markers: None identified; data is processed as raw text without delimiters.
- Capability inventory: Shell command execution via resumy CLI and playwright (references/resumy-cli.md).
- Sanitization: None present; the skill lacks validation or escaping logic for external content.
Recommendations
- AI detected serious security threats
Audit Metadata