ClawHub

LinkedIn Scraper

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it automates LinkedIn scraping through your logged-in Chrome session and includes anti-detection and bulk collection behavior that deserves careful review.

Install only if you are comfortable letting an agent browse LinkedIn through your logged-in Chrome profile. Keep use narrow, avoid large or stealthy scraping, confirm each search and batch before it runs, and decide in advance what personal data may be stored in DuckDB and when it should be deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs scraping LinkedIn through the user's authenticated Chrome session and includes stealth and anti-detection guidance, but it does not clearly warn about privacy implications, account suspension risk, Terms-of-Service issues, or handling of scraped personal data. In this context, omission is dangerous because it normalizes collection of profile and contact-related data from a logged-in account while reducing user awareness of legal, compliance, and account-security consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The DuckDB section tells the agent to insert scraped lead/contact records into a local database without clearly informing the user that personal data from LinkedIn profiles will be stored persistently. That creates risk of silent retention of personal data, broader downstream reuse, and inadequate consent, deletion, or access controls for locally stored PII.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal