Scan Report
0 /100
frontend-cv
Create professional HTML/PDF resumes from any input format (md/pdf/word/txt). Extracts resume data, converts to structured YAML, generates styled HTML with multiple theme options, and exports to PDF.
This is a legitimate resume-to-HTML conversion skill. The three flagged IP addresses are false positives: they are floating-point SVG path coordinate values inside the GitHub logo's icon data, not network connections. The codebase performs no network I/O, accesses no credentials, and contains no obfuscation.
Safe to install
No action needed. The skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md: reads user files via extract script; render_html.py reads YAML/theme f… |
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md: writes resume_data.yaml, output HTML files; scripts use open() for wri… |
| Network | NONE | NONE | — | No urllib.request, httpx, socket.connect, or any outbound HTTP calls found; only… |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell invocation; only standard library imports (ht… |
| Environment | NONE | NONE | — | No os.environ access; grep for credential-related patterns returned zero matches |
| Skill Invoke | NONE | NONE | — | No inter-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | SKILL.md instructs user to open HTML manually; no headless browser automation |
| Database | NONE | NONE | — | No database access |
3 High 5 findings
High IP Address 硬编码 IP 地址
3.23.77.84 scripts/render_html.py:35 High IP Address 硬编码 IP 地址
5.88.43.38 scripts/render_html.py:35 High IP Address 硬编码 IP 地址
32.21.7.83 scripts/render_html.py:35 Medium External URL 外部 URL
https://claude.ai/claude-code README.md:116 Medium External URL 外部 URL
https://linkedin.com/in/ scripts/render_html.py:112 File Tree
11 files · 50.3 KB · 1800 lines Python 2f · 1007L
Markdown 4f · 498L
YAML 5f · 295L
├─
▾
references
│ ├─
▾
themes
│ │ ├─
classic.yaml
YAML
│ │ ├─
engineeringclassic.yaml
YAML
│ │ ├─
engineeringresumes.yaml
YAML
│ │ ├─
modern.yaml
YAML
│ │ └─
sb2nov.yaml
YAML
│ ├─
html-template.md
Markdown
│ └─
theme-presets.md
Markdown
├─
▾
scripts
│ ├─
extract_resume.py
Python
│ └─
render_html.py
Python
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 4 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
pypdf | * | pip (imported in extract_resume.py) | No | Used only for PDF text extraction; not involved in any network or credential activity |
python-docx | * | pip (imported in extract_resume.py) | No | Used only for DOCX text extraction; not involved in any network or credential activity |
PyYAML | * | pip (imported in render_html.py) | No | Standard YAML parsing for theme configs and resume data; safe and widely used |
PyPDF2 | * | pip (mentioned in README.md) | No | Legacy alias for pypdf; deprecated but not malicious |
Security Positives
✓ No network I/O whatsoever — no HTTP requests, no socket connections, no data exfiltration possible
✓ No credential or secret access — environment variables, SSH keys, AWS credentials all untouched
✓ No obfuscation — no base64, eval, exec, or dynamic code loading
✓ No remote script execution — no curl|bash, wget|sh, or pip install from untrusted sources
✓ Clean dependency chain — only standard library (html, re, datetime, pathlib, yaml) plus pypdf/docx for document parsing
✓ Doc-to-code alignment — SKILL.md accurately describes all phases: extraction, YAML structuring, theme selection, HTML generation, PDF export
✓ The three flagged 'IP addresses' (3.23.77.84, 5.88.43.38, 32.21.7.83) are false positives: they are floating-point SVG path coordinate values in the GitHub logo icon (e.g., 3.8, 23.4 in 'M12 .5a12 12 0 0 0-3.8 23.4')
✓ All file operations are local — reading user-provided resume files and writing output HTML to the working directory only