ClawHub

Linkedin Email Phone Apify

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it sends user-provided LinkedIn URLs to disclosed Apify actors to retrieve email and phone contact data, with privacy and compliance caveats.

Install only if you are authorized to enrich the LinkedIn profiles you submit and are comfortable sending those URLs to Apify actors. Protect the APIFY_TOKEN, verify the actors' owners, pricing, and terms, disable phone or personal-email branches when not needed, and apply applicable privacy, anti-spam, and platform-compliance rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes LinkedIn contact enrichment to obtain emails and mobile phone numbers, but it does not include any warning about privacy, consent, lawful basis, or restrictions on processing sensitive personal data. In a lead-generation context, this omission can encourage misuse of scraped personal contact information and create legal, compliance, and privacy risk for users and data subjects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill processes LinkedIn profile URLs through third-party Apify actors, but the user-facing description does not clearly warn that this data is being transmitted to an external service for enrichment. That omission undermines informed consent and can cause unexpected disclosure of personal or business-related profile data to a third party, especially in enterprise or regulated environments.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This script sends user-supplied LinkedIn profile URLs to third-party Apify actors that perform email and phone enrichment, which expands the privacy sensitivity of the data processing. In a skill context, this is materially risky because users may not understand that profile identifiers are being transmitted to external services for contact-data enrichment, potentially triggering privacy, consent, or policy issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal