扫描报告
0 /100
frontend-cv
Create professional HTML/PDF resumes from any input format (md/pdf/word/txt). Extracts resume data, converts to structured YAML, generates styled HTML with multiple theme options, and exports to PDF.
This is a legitimate resume-to-HTML conversion skill. The three flagged IP addresses are false positives: they are floating-point SVG path coordinate values inside the GitHub logo's icon data, not network connections. The codebase performs no network I/O, accesses no credentials, and contains no obfuscation.
可以安装
No action needed. The skill is safe to use.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | SKILL.md: reads user files via extract script; render_html.py reads YAML/theme f… |
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md: writes resume_data.yaml, output HTML files; scripts use open() for wri… |
| 网络访问 | NONE | NONE | — | No urllib.request, httpx, socket.connect, or any outbound HTTP calls found; only… |
| 命令执行 | NONE | NONE | — | No subprocess, os.system, or shell invocation; only standard library imports (ht… |
| 环境变量 | NONE | NONE | — | No os.environ access; grep for credential-related patterns returned zero matches |
| 技能调用 | NONE | NONE | — | No inter-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | SKILL.md instructs user to open HTML manually; no headless browser automation |
| 数据库 | NONE | NONE | — | No database access |
3 高危 5 项发现
高危 IP 地址 硬编码 IP 地址
3.23.77.84 scripts/render_html.py:35 高危 IP 地址 硬编码 IP 地址
5.88.43.38 scripts/render_html.py:35 高危 IP 地址 硬编码 IP 地址
32.21.7.83 scripts/render_html.py:35 中危 外部 URL 外部 URL
https://claude.ai/claude-code README.md:116 中危 外部 URL 外部 URL
https://linkedin.com/in/ scripts/render_html.py:112 目录结构
11 文件 · 50.3 KB · 1800 行 Python 2f · 1007L
Markdown 4f · 498L
YAML 5f · 295L
├─
▾
references
│ ├─
▾
themes
│ │ ├─
classic.yaml
YAML
│ │ ├─
engineeringclassic.yaml
YAML
│ │ ├─
engineeringresumes.yaml
YAML
│ │ ├─
modern.yaml
YAML
│ │ └─
sb2nov.yaml
YAML
│ ├─
html-template.md
Markdown
│ └─
theme-presets.md
Markdown
├─
▾
scripts
│ ├─
extract_resume.py
Python
│ └─
render_html.py
Python
├─
README.md
Markdown
└─
SKILL.md
Markdown
依赖分析 4 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
pypdf | * | pip (imported in extract_resume.py) | 否 | Used only for PDF text extraction; not involved in any network or credential activity |
python-docx | * | pip (imported in extract_resume.py) | 否 | Used only for DOCX text extraction; not involved in any network or credential activity |
PyYAML | * | pip (imported in render_html.py) | 否 | Standard YAML parsing for theme configs and resume data; safe and widely used |
PyPDF2 | * | pip (mentioned in README.md) | 否 | Legacy alias for pypdf; deprecated but not malicious |
安全亮点
✓ No network I/O whatsoever — no HTTP requests, no socket connections, no data exfiltration possible
✓ No credential or secret access — environment variables, SSH keys, AWS credentials all untouched
✓ No obfuscation — no base64, eval, exec, or dynamic code loading
✓ No remote script execution — no curl|bash, wget|sh, or pip install from untrusted sources
✓ Clean dependency chain — only standard library (html, re, datetime, pathlib, yaml) plus pypdf/docx for document parsing
✓ Doc-to-code alignment — SKILL.md accurately describes all phases: extraction, YAML structuring, theme selection, HTML generation, PDF export
✓ The three flagged 'IP addresses' (3.23.77.84, 5.88.43.38, 32.21.7.83) are false positives: they are floating-point SVG path coordinate values in the GitHub logo icon (e.g., 3.8, 23.4 in 'M12 .5a12 12 0 0 0-3.8 23.4')
✓ All file operations are local — reading user-provided resume files and writing output HTML to the working directory only