cv-creator
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation points to a production-ready implementation hosted on the author's GitHub repository (github.com/erichowens/cv-creator). This is a vendor-managed resource.
- [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection vulnerability surface through its 'Quick Optimization' workflow, which processes external data.
- Ingestion points: The skill uses the
WebFetchtool to ingest job descriptions directly from external URLs provided by the user (described in references/interfaces-integration.md). - Boundary markers: No specific boundary markers or defensive instructions (e.g., delimiters or warnings to ignore embedded instructions) are documented for the ingestion of external job descriptions.
- Capability inventory: The skill has access to several powerful tools, including
Read,Write,Edit,WebFetch, andWebSearch(specified in SKILL.md). - Sanitization: There is no evidence of sanitization, filtering, or validation processes for the data fetched from remote job descriptions before it is integrated into the prompt for resume tailoring.
Audit Metadata