resume-master Security Report — Trusted | ClawSafe

5 /100

resume-master

通过直接编写可编辑的 HTML 源文件，来创建新简历或根据职位描述（JD）量身定制现有简历，最终交付可打印 PDF

The resume-master skill is a legitimate HTML-to-PDF resume creation tool with well-documented subprocess usage for PDF processing and no malicious behavior detected.

Skill Nameresume-master

Duration40.6s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns requiring action.

Findings 2 items

Severity	Finding	Location
Low	External image URL in template references Aliyun OSS Sensitive Access The 典雅酒红.html template references a photo from an Aliyun OSS CDN (https://oss-pai-wwja1ucw1pykevvz32-cn-shanghai.oss-cn-shanghai.aliyuncs.com/aicv/recv/photo.png). This is a template example photo, not a data exfiltration risk. `<img src="https://oss-pai-wwja1ucw1pykevvz32-cn-shanghai.oss-cn-shanghai.aliyuncs.com/aicv/recv/photo.png" alt="李明轩证件照" class="photo">` → Informational only. Template resource reference, not exfiltration.	`assets/template_refs/html/典雅酒红.html:173`
Low	External CDN URL in template Sensitive Access The 极客风尚.html template references Font Awesome from cdnjs.cloudflare.com. Standard resource dependency. `https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css` → Informational only. Standard CDN dependency for icons.	`assets/template_refs/html/极客风尚.html:10`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares use of scripts/render_pdf.py, scripts/pdf_to_images.py, script…
Filesystem	`READ`	`READ`	✓ Aligned	Scripts read/write user-provided HTML and PDF files in working directory only
Network	`NONE`	`READ`	✓ Aligned	HTML templates contain external CDN URLs (font-awesome, Aliyun OSS photo). Decla…

4 findings

🔗

Medium External URL 外部 URL

https://oss-pai-wwja1ucw1pykevvz32-cn-shanghai.oss-cn-shanghai.aliyuncs.com/aicv/recv/photo.png

assets/template_refs/html/典雅酒红.html:173

🔗

Medium External URL 外部 URL

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css

assets/template_refs/html/极客风尚.html:10

🔗

Medium External URL 外部 URL

https://limingxuan.dev

assets/template_refs/html/极客风尚.html:48

🔗

Medium External URL 外部 URL

https://www.bilibili.com/video/BV1SmartDataFlow

assets/template_refs/html/极客风尚.html:123

File Tree

11 files · 95.4 KB · 2273 lines

HTML 5f · 1566L Python 3f · 594L Markdown 1f · 91L Text 1f · 15L YAML 1f · 7L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 7L · 252 B

├─ ▾ 📁 assets

│ ├─ ▾ 📁 examples

│ │ └─ 📄 jd.example.txt Text 15L · 593 B

│ └─ ▾ 📁 template_refs

│ └─ ▾ 📁 html

│ ├─ 📄 典雅酒红.html HTML 289L · 11.7 KB

│ ├─ 📄 极客风尚.html HTML 572L · 20.1 KB

│ ├─ 📄 极简纯白.html HTML 431L · 15.8 KB

│ ├─ 📄 沉稳双栏.html HTML 273L · 11.5 KB

│ └─ 📄 清新蓝灰.html HTML 1L · 13.1 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 pdf_page_count.py Python 126L · 3.8 KB

│ ├─ 🐍 pdf_to_images.py Python 314L · 9.0 KB

│ └─ 🐍 render_pdf.py Python 154L · 4.9 KB

└─ 📝 SKILL.md Markdown 91L · 4.8 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`pypdf`	`*`	pip	No	Optional fallback for pdf_page_count.py
`pymupdf`	`*`	pip	No	Optional for pdf_to_images.py

Security Positives

✓ SKILL.md clearly documents all three scripts and their purposes

✓ Subprocess calls are limited to legitimate PDF processing tools (pdfinfo, pdftoppm, magick, Chrome)

✓ Chrome is invoked with security flags: --headless=new, --disable-gpu, --no-extensions

✓ No credential harvesting or environment variable enumeration

✓ No base64-encoded commands or obfuscation

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No C2 communication or data exfiltration endpoints

✓ No persistence mechanisms (cron, startup hooks, backdoors)

✓ No supply chain risks - only standard PDF/Python dependencies

✓ Templates are static HTML resume examples with no hidden JavaScript

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives