Linkedin Monitor

Security checks across malware telemetry and agentic risk

Overview

This LinkedIn monitor is mostly purpose-aligned, but it deserves Review because it stores LinkedIn session cookies locally, forwards private inbox content to chat channels, and can be configured to act from the user's account automatically.

Install only if you are comfortable granting an agent ongoing access to your LinkedIn inbox. Keep autonomy at Level 0 or 1 unless you have reviewed the outbound-message behavior, use a private alert channel, avoid or tightly protect stored cookies, and disable cron/remove ~/.clawdbot/linkedin-monitor data when you stop using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (21)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill documentation indicates access to environment data and local file writes, including persistent state under ~/.clawdbot/linkedin-monitor/, but does not declare corresponding permissions. Undeclared capabilities weaken user consent and sandboxing assumptions, especially for a skill that handles messaging workflows and may process sensitive account state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented behavior extends beyond simple inbox monitoring into credential handling, local persistence of authentication material, dependency and browser state checks, cron installation, and use of external system resources that are not clearly declared in the skill description. This mismatch is dangerous because users may authorize a monitoring tool without realizing it can store LinkedIn credentials locally and modify local automation, increasing the risk of credential theft, misuse, or unintended system changes.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The cron payload instructs the agent to post LinkedIn-derived content to arbitrary external channels such as Discord, Telegram, Slack, and WhatsApp, which expands data flow beyond the skill's stated LinkedIn monitoring purpose. This creates an unnecessary cross-channel exfiltration path for private message content and drafted responses, especially if the configured destination is misconfigured, shared, or compromised.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The README makes a strong safety claim that 'nothing sent without your OK' while the same document later advertises higher autonomy levels that can auto-reply and book meetings. This is dangerous because users may enable or trust the skill under a false assumption of human approval, leading to unexpected outbound actions from their LinkedIn account.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The top-level description frames the skill as inbox monitoring and drafting, but later documents autonomous replying and meeting booking. This mismatch can mislead users about the operational scope of the skill, causing them to grant access or deploy it without understanding that it may take account-impacting actions.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script prints the full LinkedIn monitoring result, including complete message payloads and config-derived routing data, to stdout for a downstream cron processor. In cron and automation environments, stdout is commonly captured by logs, job runners, email notifications, or intermediary tooling, so this creates unnecessary exposure of sensitive inbox contents beyond the minimum needed for alerting.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script interactively asks the user to extract raw LinkedIn session cookies from the browser and then stores them for later reuse. Session cookies are effectively bearer tokens, so harvesting and persisting them creates a credential theft and account takeover risk if the file is exposed, mishandled, or reused beyond the user's expectation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs sending message previews and drafted replies from LinkedIn conversations to external communication channels without any warning, consent flow, or privacy boundary explanation. Because LinkedIn inboxes often contain personal, professional, or confidential information, this can leak sensitive content to third-party systems and broader audiences than intended.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README describes continuous monitoring of LinkedIn messages and forwarding alerts, but does not clearly warn that private inbox contents may be processed and transmitted to external channels such as Discord, Slack, or Telegram. This creates privacy and data-handling risk because sensitive personal or business messages could be exposed outside LinkedIn without users fully appreciating the implications.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Higher autonomy levels permit automatic replies and meeting booking, yet the README does not provide a prominent safety warning about unintended outbound actions, rate limits, account trust implications, or reputational harm. In the context of a LinkedIn automation skill, this is more dangerous because actions occur on a real professional account and may affect relationships, compliance, or platform enforcement.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill supports autonomy levels that can automatically send LinkedIn replies, book meetings, and act in the user's voice, but the description does not prominently warn about these high-impact actions. In a communications skill, insufficient disclosure increases the chance of accidental impersonation, reputational damage, unwanted commitments, or policy violations if users enable higher autonomy without understanding the consequences.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The setup guide instructs users to keep a logged-in browser session running continuously and forward LinkedIn-derived alerts to Discord, but it does not disclose the privacy and data-sharing implications of moving message metadata or content into a third-party chat platform. In the context of an inbox-monitoring skill, this omission can cause users to expose sensitive professional communications without informed consent or proper handling safeguards.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide says users can approve and send drafted replies but does not prominently warn that the skill is capable of sending outbound LinkedIn messages on the user's behalf. In a tool marketed for progressive autonomy, this is especially risky because users may underestimate the consequences of granting browser/session access to an agent that can communicate externally as them.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The troubleshooting guide includes a destructive recovery path that removes the entire skill data directory, but it does not explicitly warn the user about data loss or require backup/confirmation steps. In an agent skill that stores state, logs, and configuration, this can cause unintended loss of operational data and force reauthentication or reconfiguration.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The emitted instructions explicitly tell the downstream agent to post newly found LinkedIn message details to a Slack channel, which transfers private third-party communications into another system without any consent check, minimization, or user-facing disclosure in this file. In the context of an inbox-monitoring skill, this increases the chance of unintended data leakage of personal or sensitive message content to broader audiences and to Slack retention/search systems.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This script retrieves LinkedIn conversation metadata and message text, then emits that data directly to stdout and logs related activity without any explicit consent gate, minimization, or user-facing disclosure in the execution path. In an agent skill with progressive autonomy and inbox monitoring, this creates a real privacy and data-exposure risk because downstream agents, logs, or integrations may process sensitive communications and personal identifiers without the user's informed awareness at runtime.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The wrapper forwards full message contents and metadata into cron-visible output without any consent prompt, warning, or data-minimization control. Because this skill's purpose is LinkedIn inbox monitoring, the exposed data can include private communications and personal information, making downstream leakage through logs or integrations more damaging than a normal status notification.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code collects highly sensitive LinkedIn session material and writes it to disk without clearly warning the user that these values grant account access and will be stored locally. In the context of an inbox-monitoring skill, this is especially dangerous because the stored cookies could let an attacker read private messages and impersonate the user session.

Credential Access

High

Category: Privilege Escalation
Content: if not li_at or not jsessionid: # Try loading from config config_path = os.path.expanduser('~/.clawdbot/linkedin-monitor/credentials.json') if os.path.exists(config_path): with open(config_path) as f: creds = json.load(f)
Confidence: 90% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: config_dir = os.path.expanduser('~/.clawdbot/linkedin-monitor') os.makedirs(config_dir, exist_ok=True) config_path = os.path.join(config_dir, 'credentials.json') with open(config_path, 'w') as f: json.dump({ 'li_at': li_at,
Confidence: 96% confidence
Finding: credentials.json

Session Persistence

Medium

Category: Rogue Agent
Content: sys.exit(1) try: # Create client with cookies api = Linkedin('', '', cookies={ 'li_at': li_at, 'JSESSIONID': f'"{jsessionid}"'
Confidence: 84% confidence
Finding: Create client with cookies api = Linkedin('', '', cookies={ 'li_at': li_at, 'JSESSIONID': f'"{jsessionid}"' }) return api except Exception as e:

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal