ClawHub

Linkedin Outreach

Security checks across malware telemetry and agentic risk

Overview

This LinkedIn automation skill appears purpose-built, but it can act from your account in bulk and saves login/session data locally with weak safeguards.

Install only if you are comfortable letting this skill automate LinkedIn as you. Review target lists carefully before running connect or follow-up commands, avoid using it on shared machines, treat the saved session file as sensitive account access, and delete the local config data when you no longer need it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that require access to environment variables and outbound network communication, but it does not declare corresponding permissions. This creates a transparency and consent gap: users may install or run the skill without understanding that it can access credentials and interact with external services, which is especially sensitive for a LinkedIn automation tool handling login state and account actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to place LinkedIn credentials in environment variables but does not warn about exposure risks such as shell history leakage, process/environment inspection, CI log disclosure, or accidental persistence in shared systems. In the context of a networked automation tool that logs into a third-party account, compromised credentials could allow unauthorized account access, messaging, data extraction, and account abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists Playwright storage state for LinkedIn to a predictable file in the user's home config directory. That state can include active session cookies and authentication artifacts, so anyone with local access to the file or malware on the host may hijack the LinkedIn account without needing the password or 2FA step again.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill writes scraped contact and outreach data to disk automatically in a local JSON file without explicit disclosure or consent. This creates a privacy and compliance risk because the file may contain personal data gathered from LinkedIn, which can be exposed to other local users, backups, or unrelated software on the machine.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The CLI prompts for LinkedIn credentials and restores a previously saved session, but this file gives users no explicit notice that authentication material may be stored or reused on disk. In an automation tool handling third-party account access, silent session persistence increases the risk of credential misuse, unauthorized reuse by other local users, and accidental exposure of authenticated state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The connect flow performs bulk outbound actions immediately after assembling the target URNs and optional message, without a final review or confirmation step. This makes it easy for a user or a malicious wrapper script to trigger unintended mass connection requests, causing account abuse, reputation damage, or platform enforcement against the user's LinkedIn account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The follow-up command sends messages to every pending contact in bulk without a final confirmation step, aside from an optional dry-run mode. In a lead-generation automation context, this increases the chance of unintended mass messaging and can be abused by scripts or operator mistakes to send spam-like content at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal