ai-used-resume

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow explicitly ingests external, potentially untrusted content — e.g., the top-level description lists cloud exports and git commits as extractor sources and Procedure step 4/5 shows running "uv run vibe-resume extract" and "uv run vibe-resume enrich --tailor data/imports/jd.txt", which feed job-description files and cloud-exported/user-provided content into LLM-driven enrichment and review steps that can materially change prompts, scoring, and rendering.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs at runtime to clone and install the repository https://github.com/easyvibecoding/vibe-resume, which would fetch and install remote code that provides CLI behavior and persona/prompt modules that directly control agent prompts and execution.