Back to skill

Security audit

Linkedin Post

Security checks across malware telemetry and agentic risk

Overview

This is a local LinkedIn content logging tool; its main risk is that entered drafts and related text are saved locally and can be searched or exported.

Install only if you are comfortable with LinkedIn drafts, schedules, headlines, comments, and similar entered text being stored in plaintext under ~/.local/share/linkedin-post and later searchable or exportable. Avoid entering confidential client data, internal metrics, or embargoed announcements unless you plan to manage or delete those local files yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill persistently stores user-provided content, including drafts, schedules, translations, and other potentially sensitive professional material, but does not present an explicit privacy warning or retention notice. This can lead users to input confidential business information without understanding it will be retained on disk and exportable in bulk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persistently stores all user-supplied post content to local log files without clear upfront disclosure or consent. Because LinkedIn drafts, headlines, and rewrites may contain confidential business plans, personal data, or unpublished announcements, silent retention increases the risk of unintended disclosure from local compromise, backups, shared accounts, or later export.

Ssd 3

Medium
Confidence
97% confidence
Finding
The tool is designed to collect and retain all user input, then makes bulk review and extraction easy through search, recent, and export commands in plain text, CSV, and JSON. In the context of a content-writing skill, users may paste sensitive drafts, customer names, internal metrics, or embargoed material, so this broad local data-surveillance capability is more dangerous than the manifest suggests and materially increases confidentiality risk.

VirusTotal

39/39 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.