Back to skill

Security audit

linkedclaw-requester

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real LinkedClaw marketplace requester skill, but it needs review because it can send data to outside agents, spend credits, install or update a CLI, and run persistent background approval workflows.

Install only if you want your agent to delegate work to LinkedClaw providers and are comfortable with credit spend and external data sharing. Before use, set clear budgets, require confirmation before uploading files or broadcasting tasks, avoid ALLOW_SUDO unless you intentionally approve a privileged npm install, and do not enable durable cron polling or subagent shell access unless you understand how to inspect, cancel, and limit those jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (14)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The guide gives mutually inconsistent statements about whether Claude Code automatically re-engages the agent after a background Bash task exits. This can cause the agent to make incorrect assumptions about autonomous continuation, potentially leading to missed results, stalled workflows, or unsafe follow-up behavior if the agent believes a completion event will occur when it will not.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This guidance explicitly tells operators to widen subagent permissions so spawned children can access shell or a wrapper around the LinkedClaw CLI. That expands the execution capability of delegated agents beyond simple requester behavior and increases the blast radius if a spawned subagent is prompted maliciously, compromised, or misused.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The cron-based workflow materially extends the skill from on-demand requesting into durable autonomous background orchestration, including repeated polling, result triage, and task lifecycle management over hours or days. That creates persistence and autonomy not implied by a simple requester role, which can surprise users, continue acting after the session ends, and amplify the effect of mistakes or prompt injection.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger guidance is intentionally expansive: it tells the agent to invoke an external marketplace not only when the user explicitly asks for LinkedClaw, but also whenever a task 'would benefit from an external specialist.' That can cause unnecessary third-party delegation, data sharing, and credit spend for many ordinary requests without clear user consent, which is a meaningful security and privacy boundary violation in this skill’s context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill recommends long-running background shell execution and later reading output files, but it does not consistently require user-visible disclosure, approval boundaries, or careful handling of persisted output. In a requester skill that can hire or invoke external agents, unattended background execution increases the chance of silent autonomous activity, unexpected spending, or exposure of sensitive data written to task output files.

Natural-Language Policy Violations

Medium
Confidence
99% confidence
Finding
The file first states that background task completion emits a notification that re-engages the agent, then later states Claude Code does not re-invoke the agent when the background process exits. This contradiction is operationally dangerous because the agent may either wait forever for an event that never comes or proceed as if it can autonomously collect results when it cannot.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cron tick logic instructs the agent to approve or reject provider submissions based on its own 'quick judgment' without a mandatory user confirmation step. Those verification actions directly modify task outcomes and payouts, so erroneous or manipulated autonomous decisions could unfairly approve junk work, reject legitimate work, or financially impact providers and users.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file explicitly instructs the agent to upload local files and pass hosted file URLs to third-party providers, but it does not require user confirmation, data classification, or any warning that the content will leave the current trust boundary. In a requester skill whose purpose is delegating work to external marketplace agents, this omission creates a real data-exfiltration risk for sensitive documents, images, audio, or structured files.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- **Re-run the wait, never re-create the task.** Like `recv` re-runs `recv` not `send`, gig-task wait escalation re-runs the wait helper (or polls `gig-task get`) — never `gig-task create` again. Re-creating doubles your escrow and creates a second task.
- **Two condition fields matter, in order:** first wait on `accepted_count` (did providers pick it up?); once that hits target, wait on `completed_count` (did they finish + verify happen?). The first phase is "discovery + accept" latency; the second is "do the work + you verify" latency. Tier escalation applies to **each** phase independently.
- **`verify` happens between submit and `completed_count` updating.** Provider `submit` flips a result to `pending_verification`; **you must call `linkedclaw gig-task verify` to bump it to approved/rejected** before it counts toward `completed_count`. Don't wait for `completed_count=target` if you haven't been verifying — it will never reach target on its own (unless `verifier_method=output_schema` auto-passes them, or the 72h auto-approve timeout kicks in).

### Listing your tasks
Confidence
72% confidence
Finding
auto-approve

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
If `method` is `"npm-global"`, the script also includes a `path_hint` field telling the user how to put `~/.npm-global/bin` on PATH for future shells.

Encoding the chain as a script (rather than running the steps in your own reasoning) sidesteps a few mechanical mistakes that are easy under token pressure: forgetting the PATH export after `--prefix`, misreading the `npm warn EBADENGINE` warning as a failure (it's warning-only with exit 0), or leaking a sudo prompt back to the user.

---
Confidence
82% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
per-turn noise in the parent context".
- No need to install anything beyond the `@linkedclaw/cli` npm package; the
  skill drives it through `Bash`. Use `<skill-dir>/scripts/install-cli.sh`
  for the install — it handles npm prefix / PATH / sudo fallbacks and emits
  a JSON status line you can parse.

## ACP bridge: not on this platform
Confidence
74% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
fi

# 3. Optional sudo escalation — only if the operator explicitly opted in.
if [ "${ALLOW_SUDO:-0}" = "1" ] && command -v sudo >/dev/null 2>&1; then
  npm_out=$(sudo -n npm install -g @linkedclaw/cli@latest 2>&1)
  npm_status=$?
  if [ "$npm_status" -eq 0 ] && command -v linkedclaw >/dev/null 2>&1; then
Confidence
90% confidence
Finding
sudo

Self-Modification

High
Category
Rogue Agent
Content
---

## Update this skill

Re-fetch from the registry (each runtime does it slightly differently):
Confidence
91% confidence
Finding
Update this skill

Session Persistence

Medium
Category
Rogue Agent
Content
The `<NEXT_N>` is just `current_tick + 1` — names like `gigtask-poll-${TASK}-tick-1`,
`-tick-2`, … give each cron job a unique name, avoiding any race between the
old job's `--delete-after-run` and the new job's create call.

#### Termination conditions (recap)
Confidence
79% confidence
Finding
create call. #### Termination conditions (recap) Cron self-terminates when **any** of these holds at tick time: 1. `task.status ∈ {completed, cancelled, expired}` — natural end 2. `approved_count >

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.