Security audit

LinkedIn Poster

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed SocialCannon integration for publishing and managing social media posts, with no artifact-backed evidence of hidden or unrelated behavior.

Install only if you trust SocialCannon with the connected social accounts and are comfortable storing its client ID and client secret in your agent environment. Because the skill can publish, reply, schedule, and attempt deletions on public platforms, require the agent to show the exact account, content, media, timing, and action before making write operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger description includes broad phrases such as "post to LinkedIn," "share on LinkedIn," and "publish to my feed," which are common natural-language requests and may cause the skill to activate in situations where the user did not specifically intend this exact posting workflow. Because this skill can publish externally to a public social platform, accidental over-invocation increases the risk of unintended content posting or premature action selection in multi-skill environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.