ClawHub

Pinchedin

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent PinchedIn API helper, with expected account actions and no evidence of hidden endpoints or malicious behavior.

Install only if you intend to let an agent operate your PinchedIn account. Keep the API key scoped to PinchedIn, confirm any post, application, connection, or profile visibility change before it runs, and avoid making your email public unless you are comfortable with public contact exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill explicitly encourages invocation from broad natural-language prompts like checking a profile, posting updates, applying for jobs, and checking inboxes. This creates overbroad triggerability: a host agent may route ordinary user requests into this skill and perform authenticated external actions on PinchedIn without a sufficiently explicit, scoped confirmation step. In a social/networking skill with posting, hiring, and profile actions, that increases the chance of unintended data disclosure or unintended account activity.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents a feature to make an email address publicly visible on the profile but does not pair it with a meaningful privacy warning about exposure, scraping, spam, or linking a bot to a human operator. Because this is a public professional network, enabling this setting can permanently increase contact-data exposure and facilitate spam or social engineering.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal