ClawHub

The LinkedIn Optimization Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a remote API-key management skill with real key and session operations, but its listing and API documentation do not clearly scope or secure those sensitive actions.

Install only if you specifically intend to use this provider as a remote API-key management service and trust it with admin keys, session state, and managed API keys. Before using production credentials, require clarification on authentication, tenant isolation, debug-session output, get-random-key behavior, audit logging, retention, and rollback for revocations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The API surface includes browser/session-oriented endpoints such as /login, /logout, /admin, and /debug-session that exceed the declared purpose of centralized key lifecycle management. This broadens the exposed attack surface and suggests hidden stateful administration capabilities that could enable unauthorized access, session abuse, or information disclosure if the implementation is weak.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
A /get-random-key endpoint is highly inconsistent with controlled enterprise key management because it appears to expose key material retrieval without clear ownership, authorization, or lifecycle constraints. If implemented literally, it could leak valid credentials or normalize unsafe key distribution patterns, directly undermining the system's security model.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A /debug-session endpoint is unrelated to the declared service purpose and commonly indicates exposure of internal session state, tokens, or diagnostic data. In a key-management context, such debugging output can reveal authentication details or admin context that materially assists attackers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes example requests and responses that directly handle API keys, including returning full key material and submitting keys to remote endpoints, without any warning about secrecy, redaction, storage, logging, or safe transport practices. In a key-management skill, this context makes the issue more dangerous because users are encouraged to treat highly sensitive credentials as ordinary API fields, increasing the chance of credential leakage via shells, logs, screenshots, client telemetry, and shared docs.

External Transmission

Medium
Category
Data Exfiltration
Content
**Request:**
```bash
curl -X POST https://api.mkkpro.com/career/linproopt/verify-key \
  -H "Content-Type: application/json" \
  -d '{"api_key": "sk_prod_a7f9d3e2c1b5f8g4h6j2k9m1n3p5r7t9"}'
```
Confidence
97% confidence
Finding
https://api.mkkpro.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal