Skills
skills/melodic-software/claude-code-plugins/resume-optimization/Gen Agent Trust Hub

resume-optimization

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external URLs.
  • Ingestion points: The skill uses WebFetch to retrieve job description content from URLs provided in $ARGUMENTS (SKILL.md).
  • Boundary markers: The workflow does not define any delimiters or system instructions to ignore embedded commands within the fetched job description.
  • Capability inventory: The skill has access to Read, Write, WebFetch, Glob, and Grep tools, allowing it to modify local files based on potentially poisoned external input.
  • Sanitization: There is no mention of sanitizing or escaping the fetched content before processing.
  • EXTERNAL_DOWNLOADS (LOW): The skill utilizes the WebFetch tool to download data from arbitrary external sources.
  • Evidence: SKILL.md includes WebFetch in the allowed-tools list and uses it to fetch job description content if a URL is provided as an argument.
  • Context: While this is a primary function of the skill, it represents an outbound network request to non-whitelisted domains.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 05:30 PM