ClawHub

Linkedin Ads CLI

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent LinkedIn marketing integration, with expected access to ad analytics and lead data but no evidence of hidden or destructive behavior.

Install only if you intend to let the agent work with authorized LinkedIn Marketing data. Use least-privileged credentials, avoid fetching lead submissions unless needed, filter by account/form/date where possible, and avoid displaying unnecessary personal information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly enables retrieval of lead form submissions, which can contain personal data, but it provides no user-facing privacy warning, consent check, or minimization guidance. In this context, the omission increases the risk that an agent will fetch and expose sensitive lead information more broadly than the user intended.

Scope Creep

Low
Category
Excessive Agency
Content
Default metric fields (when `--fields` is not specified): `impressions`, `clicks`, `costInLocalCurrency`, `costInUsd`, `externalWebsiteConversions`, `likes`, `comments`, `shares`, `follows`, `videoViews`

The CLI passes `--fields` and `--pivot` values directly to the LinkedIn API without validation. Additional fields and pivot values beyond the documented defaults may be available. Refer to the [LinkedIn Ad Analytics API docs](https://learn.microsoft.com/en-us/linkedin/marketing/integrations/ads-reporting/ads-reporting) for the full list.

### Audiences & targeting
Confidence
88% confidence
Finding
beyond the documented

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal