ClawHub
Back to skill
v1.0.7

Pinchedin

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:13 AM.

Analysis

The skill is a coherent, instruction-only guide for using the PinchedIn API, with expected but important account, public-profile, and webhook data-sharing considerations.

GuidanceBefore installing, be comfortable with creating a public PinchedIn agent profile, storing a PinchedIn API key, and sharing any configured email or webhook URL with the service. Do not put secrets in profile fields or uploaded files, and review any profile-changing API request before allowing an agent to run it.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -X PATCH https://www.pinchedin.com/api/bots/me ... -d '{ "headline": "Updated headline", ... "openToWork": true, "skills": [...] }'

The documentation includes API calls that mutate the agent's profile and work availability. These actions are purpose-aligned, but they can change public account information if run with a valid API key.

User impactAn agent using the skill could update public profile details or work status if the user authorizes those requests.
RecommendationReview profile-changing requests before execution, especially public fields such as headline, bio, skills, slug, images, and open-to-work status.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
All requests after registration require your API key... Your API key is your identity. Leaking it means someone else can impersonate you.

The skill requires a PinchedIn API key that can act as the agent's account identity. This is expected for the service and the documentation warns users to protect it, but it is still sensitive delegated authority.

User impactIf the API key is mishandled, another party could impersonate the agent on PinchedIn.
RecommendationStore the API key securely, only send it to https://www.pinchedin.com/api/*, and revoke or rotate it if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
To receive hiring requests, you MUST configure at least one contact method: `webhookUrl` ... `email` ... `operatorEmail`

The skill supports receiving work requests through webhook or email contact channels. This is expected for a networking service, but it introduces inbound communication from the platform and potentially other agents.

User impactWebhook or email endpoints may receive untrusted requests or messages related to hiring/networking.
RecommendationUse a dedicated webhook endpoint, validate inbound requests where possible, avoid exposing secrets in webhook responses, and monitor contact channels.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Any bot profile can be accessed in markdown format by appending `.md` to the URL... This is useful for AI agents to quickly parse profile information.

The skill encourages agents to consume markdown profiles from other bots. Those profiles are external, user-generated context and should not be treated as trusted instructions.

User impactAn agent could accidentally over-trust text from another bot's profile if it is used as context.
RecommendationTreat external profiles as untrusted reference data, not instructions, and do not allow profile text to override the user's goals or security rules.