ClawHub

LinkedIn Skills

Security checks across malware telemetry and agentic risk

Overview

This LinkedIn automation skill matches its stated purpose, but it gives a local browser bridge broad, under-protected control over a real logged-in LinkedIn account.

Install only if you are comfortable giving a local Python process and Chrome extension control over your real LinkedIn session. Use a dedicated Chrome profile, keep the bridge off when not in use, personally confirm every post/comment/message/connection before it runs, and avoid installing on a machine where untrusted local software could connect to localhost services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell execution, network access, and file-write behavior but does not declare any explicit permissions or equivalent guardrails in metadata. In a LinkedIn automation context, those capabilities can act on a live authenticated browser session and local files, making the mismatch between declared trust boundaries and actual capability meaningful to a caller or hosting platform.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The README advertises lead-generation and outreach functions that go beyond the stated triggered scope and can drive agents toward bulk prospecting and unsolicited contact workflows. In an automation skill that uses a real logged-in LinkedIn account, overstating capabilities increases the risk of deceptive or policy-violating use, even if the README is only documentation.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
Claiming direct-messaging capability in documentation when it is not reflected in the manifest creates a scope mismatch that can mislead users or agent frameworks about what the skill is supposed to do. In this context, messaging is a high-sensitivity social action performed through a real user account, so undocumented or inconsistently documented capability is more dangerous than a harmless docs error.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The command handler accepts a remotely supplied URL and uses privileged extension APIs to navigate the LinkedIn tab there, while the broader design also permits fallback execution of arbitrary DOM commands. In an agent-controlled browser extension, generic navigation is dangerous because it expands control beyond narrowly scoped LinkedIn actions and can be chained with later cookie/script operations to act on unintended pages or phishing flows.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
cmdEvaluateViaDebugger executes arbitrary JavaScript supplied over the WebSocket bridge in the active LinkedIn tab using chrome.debugger Runtime.evaluate. This gives whoever can send bridge messages effectively unrestricted code execution in the page context, enabling theft of page data, account actions, DOM manipulation, and extraction of sensitive tokens or content far beyond the stated automation scope.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The manifest requests the powerful Chrome debugger permission even though the stated purpose is only to bridge a local CLI to browser automation for LinkedIn. Debugger access can inspect and control page/network activity far beyond normal automation, increasing the risk of credential theft, session hijacking, interception of sensitive LinkedIn data, or abuse of unrelated tabs if the extension logic is compromised or overreaches.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill declares that all operations must go through `python scripts/cli.py` and lists allowed subcommands, but its failure-handling section instructs the agent to verify login with `check-login`, which is not in the allowed set. This inconsistency can cause agents to step outside the documented boundary or invoke undefined functionality, weakening control over what commands are permitted.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description is broad enough that ordinary requests to analyze, browse, message, or operate on LinkedIn content may automatically route into an automation skill with live account access. In this context, overbroad activation increases the chance of unintended use of authenticated session capabilities, especially for actions that can publish, message, or connect on the user's behalf.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The get_cookies command exposes all cookies for a caller-specified domain, defaulting to linkedin.com, and returns them over the bridge without any user awareness or approval. LinkedIn cookies may include session identifiers or other authentication material, so this creates a direct credential and account-takeover risk if the local bridge client is malicious or compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The extension maintains an unauthenticated WebSocket connection to ws://localhost:9336 and sends command results back to that local service, which may include cookies, page contents, and outputs of arbitrary script execution. 'Local only' does not make this safe: any untrusted process on the host, malware, or a rogue local service listening on that port can issue commands and receive sensitive browser data without user visibility.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The delete-cookies/logout command performs a state-changing action immediately with no confirmation or dry-run guard. In an agent skill context, this is more dangerous because an LLM or wrapper may invoke the command from ambiguous user intent, unexpectedly logging the user out and disrupting active sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The like and comment actions execute immediately and cause external side effects on a real LinkedIn account without a final confirmation step. In this skill's automation context, that raises the risk of accidental reputation damage, unwanted engagement, or abuse if triggered by prompt confusion or malformed task routing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Sending connection requests and direct messages creates outbound communications that can affect the user's relationships, privacy, and reputation, yet the code sends them with no explicit warning or confirmation. In an AI-agent setting this is especially risky because a misinterpreted instruction could result in unsolicited messages or networking actions from the user's account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Post publishing submits content directly to LinkedIn with no pre-flight confirmation, which can immediately expose unintended text or images to a public or professional audience. Given this skill's purpose of automating LinkedIn actions, the context makes this more dangerous because a single mistaken invocation can cause visible, hard-to-undo reputational harm.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The get_cookies method exposes browser session cookies through a local WebSocket bridge with no authentication, authorization, consent check, or scope restriction visible in this file. In a LinkedIn automation skill, cookies are highly sensitive because they can enable session hijacking or reuse of an authenticated LinkedIn session, and the bridge abstraction makes exfiltration or misuse easier if any caller can invoke this method.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger text is broad enough to activate on generic requests for analysis or batch engagement tasks, which can cause this skill to be selected outside its intended LinkedIn-specific scope. In an automation context, over-broad routing increases the chance of unintended execution of social-media actions or collection of profile/content data when the user did not clearly intend LinkedIn operations.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger text says the skill is activated when a user asks to search, browse, view, or look up anything on LinkedIn, which is broad enough to capture many generic browsing requests. In an agent environment, overbroad routing can misfire and send unrelated requests into a LinkedIn automation skill, increasing the chance of unintended external actions or data access in the wrong context.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger text is broad enough to activate on generic requests about finding prospects, clients, or outreach campaigns, which can cause the agent to enter a high-risk automation flow without sufficiently specific user intent. In this skill, activation can lead to profile enrichment and outreach actions on LinkedIn, so an overly loose trigger increases the chance of unintended lead-gen or messaging behavior.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger description is broad enough to match many ordinary LinkedIn-related requests, which can cause this publishing skill to activate when the user intended a different LinkedIn operation. In an automation context, misrouting is security-relevant because it increases the chance of presenting or executing posting flows for unrelated requests, especially when combined with account-authenticated actions.

Session Persistence

Medium
Category
Rogue Agent
Content
Route user intent by priority:

1. **Authentication** ("login / check login / log out") → Execute `linkedin-auth` skill.
2. **Content Publishing** ("post / share / publish / create post / write update") → Execute `linkedin-publish` skill.
3. **Search & Discovery** ("search / browse / view post / check profile / company page") → Execute `linkedin-explore` skill.
4. **Social Interaction** ("like / react / comment / connect / message / follow") → Execute `linkedin-interact` skill.
5. **Compound Operations** ("competitor analysis / trend tracking / engagement campaign / analyze") → Execute `linkedin-content-ops` skill.
Confidence
88% confidence
Finding
create post / write update") → Execute `linkedin-publish` skill. 3. **Search & Discovery** ("search / browse / view post / check profile / company page") → Execute `linkedin-explore` skill. 4. **Socia

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal