ClawHub
Back to skill

Security audit

LinkdAPI

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed LinkdAPI skill for LinkedIn data lookups, with privacy and API-key cautions but no evidence of hidden or destructive behavior.

Install only if you intend to use LinkdAPI for LinkedIn lookups. Use a dedicated API key, avoid exposing it in chats or logs, monitor API-credit usage, and make sure any profile or contact information you retrieve is handled according to applicable privacy, consent, retention, and platform rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
97% confidence
Finding
The skill description contains directive language such as 'Always use this skill for ANY LinkedIn data task,' which is an overbroad routing instruction that can cause the agent to invoke this skill for ambiguous or only loosely related requests. That creates a security and policy risk because it biases tool selection toward a data-scraping/information-enrichment capability even when user intent is unclear or a safer, narrower response would be more appropriate.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly promotes collecting profile contact information and lead enrichment workflows, but it provides no warning, consent requirements, or handling guidance for sensitive personal data. In context, this is more dangerous because the skill is designed for B2B prospecting and bulk research, increasing the likelihood of privacy-invasive use, unauthorized enrichment, or downstream misuse of emails, phone numbers, and other contact details.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.