Back to skill

Security audit

"dataify-linkedin-company-information-by-url"

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Dataify request builder, but users should handle the Dataify API token carefully.

Install only if you intend to use Dataify for LinkedIn scraping requests. Keep DATAIFY_API_TOKEN private, prefer a secure secret store or carefully protected environment variable, and review the generated curl command before running it because it will send your token and supplied parameters to Dataify.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs the agent to access environment variables, read local files, and produce shell commands, but it does not declare these capabilities or any permission boundaries. That creates an authorization and transparency gap: a user may not realize the skill can inspect local state and handle secrets while preparing a request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The token setup instructions encourage placing a live API credential into shell commands and profile files without warning about shell history, shared terminals, repo-backed dotfiles, or least-privilege handling. This can lead to accidental credential disclosure or long-lived secret persistence in locations that are broadly readable or synced.

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: "dataify-linkedin-company-information-by-url"
description: "Prepare Dataify builder requests for the linkedin.com scraper family rooted at linkedin_company_information_by-url. Use  when needs to work with the successful Dataify scraper detail entry for linkedin_company_information_by-url, let the user choose one of its available tools, read saved getToolParams options, and generate a scraperapi.dataify.com/builder curl request with DATAIFY_API_TOKEN."
---

# Dataify Builder Skill
Confidence
88% confidence
Finding
curl request with DATAIFY_API_TOKEN." --- # Dataify Builder Skill Use this skill to prepare Dataify builder requests for the scraper family rooted at `linkedin_company_information_by-url` on `linked

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: "dataify-linkedin-company-information-by-url"
description: "为 linkedin.com 上以 linkedin_company_information_by-url 为根的 scraper 系列准备 Dataify builder 请求。当需要处理成功的 Dataify scraper detail 条目 linkedin_company_information_by-url、让用户选择可用工具、读取已保存的 getToolParams 选项,并使用 DATAIFY_API_TOKEN 生成 scraperapi.dataify.com/builder curl 请求时,使用此 skill。"
---

# Dataify Builder Skill 中文版
Confidence
83% confidence
Finding
curl 请求时,使用此 skill。" --- # Dataify Builder Skill 中文版 这个 skill 用于为 `linkedin.com` 下、以 `linkedin_company_information_by-url` 为入口的 Dataify scraper 工具族生成 builder 请求。 ## 工作流程 1. 先检查环境变量中是否存在 `DATAIFY_A

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.