ClawHub

Dataify Linkedin Company Information By Url

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it handles the Dataify API token in ways that could expose the credential.

Install only if you trust Dataify and are comfortable sending scraper parameters to its API. Avoid using the helper in shared terminals or logs because it can print your live token; prefer commands that reference $DATAIFY_API_TOKEN at execution time, store the token in a secret manager or short-lived session variable, and rotate the token if it was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to persist API tokens in shell profile files and user environment settings, which increases the chance of long-term secret exposure through dotfile syncing, backups, shared accounts, terminal history, or accidental disclosure. While not inherently malicious, it promotes weaker secret-handling practices without warning users about sensitivity, scope, or safer alternatives.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill requires use of a sensitive environment variable in a generated curl command but does not warn about secret leakage risks such as shell history, screenshots, logs, copied commands, or command auditing. In a skill that directly produces commands for users to run, omission of secret-handling guidance materially increases exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs users to persistently store DATAIFY_API_TOKEN in shell startup files or user environment settings without warning about the security tradeoff. Long-lived plaintext secrets in profile files can be exposed through local compromise, backups, dotfile syncing, shared accounts, or accidental disclosure, increasing the blast radius of token theft.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script prints a complete curl command containing a live Bearer token in cleartext. This can leak credentials through terminal scrollback, shell history, logs, CI output, screenshots, or copy/paste into tickets, allowing anyone with access to reuse the token against the Dataify API.

External Transmission

Medium
Category
Data Exfiltration
Content
最终 `curl` 命令应为:

```bash
curl -X POST 'https://scraperapi.dataify.com/builder' \
  -H "Authorization: Bearer $DATAIFY_API_TOKEN" \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'spider_name=linkedin.com' \
Confidence
88% confidence
Finding
curl -X POST 'https://scraperapi.dataify.com/builder' \ -H "Authorization: Bearer $DATAIFY_API_TOKEN" \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'spider_name=linkedin.com' \ -

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal