中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:21 小时前 重新扫描
5 /100
resume-master
通过直接编写可编辑的 HTML 源文件,来创建新简历或根据职位描述(JD)量身定制现有简历,最终交付可打印 PDF
The resume-master skill is a legitimate HTML-to-PDF resume creation tool with well-documented subprocess usage for PDF processing and no malicious behavior detected.
技能名称resume-master
分析耗时40.6s
引擎pi
可以安装
This skill is safe to use. No security concerns requiring action.

安全发现 2 项

严重性 安全发现 位置
低危
External image URL in template references Aliyun OSS 敏感访问
The 典雅酒红.html template references a photo from an Aliyun OSS CDN (https://oss-pai-wwja1ucw1pykevvz32-cn-shanghai.oss-cn-shanghai.aliyuncs.com/aicv/recv/photo.png). This is a template example photo, not a data exfiltration risk.
<img src="https://oss-pai-wwja1ucw1pykevvz32-cn-shanghai.oss-cn-shanghai.aliyuncs.com/aicv/recv/photo.png" alt="李明轩证件照" class="photo">
→ Informational only. Template resource reference, not exfiltration.
 assets/template_refs/html/典雅酒红.html:173
低危
External CDN URL in template 敏感访问
The 极客风尚.html template references Font Awesome from cdnjs.cloudflare.com. Standard resource dependency.
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css
→ Informational only. Standard CDN dependency for icons.
 assets/template_refs/html/极客风尚.html:10
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md declares use of scripts/render_pdf.py, scripts/pdf_to_images.py, script…
文件系统 READ READ ✓ 一致 Scripts read/write user-provided HTML and PDF files in working directory only
网络访问 NONE READ ✓ 一致 HTML templates contain external CDN URLs (font-awesome, Aliyun OSS photo). Decla…
4 项发现
🔗
中危 外部 URL 外部 URL
https://oss-pai-wwja1ucw1pykevvz32-cn-shanghai.oss-cn-shanghai.aliyuncs.com/aicv/recv/photo.png
assets/template_refs/html/典雅酒红.html:173
🔗
中危 外部 URL 外部 URL
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css
assets/template_refs/html/极客风尚.html:10
🔗
中危 外部 URL 外部 URL
https://limingxuan.dev
assets/template_refs/html/极客风尚.html:48
🔗
中危 外部 URL 外部 URL
https://www.bilibili.com/video/BV1SmartDataFlow
assets/template_refs/html/极客风尚.html:123

目录结构

11 文件 · 95.4 KB · 2273 行
HTML 5f · 1566L Python 3f · 594L Markdown 1f · 91L Text 1f · 15L YAML 1f · 7L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 7L · 252 B
├─ 📁 assets
│ ├─ 📁 examples
│ │ └─ 📄 jd.example.txt Text 15L · 593 B
│ └─ 📁 template_refs
│ └─ 📁 html
│ ├─ 📄 典雅酒红.html HTML 289L · 11.7 KB
│ ├─ 📄 极客风尚.html HTML 572L · 20.1 KB
│ ├─ 📄 极简纯白.html HTML 431L · 15.8 KB
│ ├─ 📄 沉稳双栏.html HTML 273L · 11.5 KB
│ └─ 📄 清新蓝灰.html HTML 1L · 13.1 KB
├─ 📁 scripts
│ ├─ 🐍 pdf_page_count.py Python 126L · 3.8 KB
│ ├─ 🐍 pdf_to_images.py Python 314L · 9.0 KB
│ └─ 🐍 render_pdf.py Python 154L · 4.9 KB
└─ 📝 SKILL.md Markdown 91L · 4.8 KB

依赖分析 2 项

包名版本来源已知漏洞备注
pypdf * pip Optional fallback for pdf_page_count.py
pymupdf * pip Optional for pdf_to_images.py

安全亮点

✓ SKILL.md clearly documents all three scripts and their purposes
✓ Subprocess calls are limited to legitimate PDF processing tools (pdfinfo, pdftoppm, magick, Chrome)
✓ Chrome is invoked with security flags: --headless=new, --disable-gpu, --no-extensions
✓ No credential harvesting or environment variable enumeration
✓ No base64-encoded commands or obfuscation
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No C2 communication or data exfiltration endpoints
✓ No persistence mechanisms (cron, startup hooks, backdoors)
✓ No supply chain risks - only standard PDF/Python dependencies
✓ Templates are static HTML resume examples with no hidden JavaScript