ClawHub

Keyapi Linkedin Company Analysis

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate KeyAPI LinkedIn research skill, but its bundled runner is broader than the advertised LinkedIn-only purpose and stores tokens/results locally.

Install only if you are comfortable with a generic KeyAPI MCP runner, not just a narrowly locked LinkedIn helper. Use a dedicated KEYAPI_TOKEN, prefer setting it in the environment instead of typing it into the prompt, run commands explicitly with --platform linkedin, review each tool name and JSON parameter before execution, and delete .env or .keyapi-cache when you no longer need the token or collected data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as a LinkedIn company analysis tool, but the documented workflow relies on a generic runner that can list schemas and invoke arbitrary MCP tools via a tool name parameter. That broader capability increases the attack surface: a user or upstream prompt could steer execution toward unintended tools or platforms, causing overbroad data access, unexpected network actions, or use outside the declared scope.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script is a generic KeyAPI MCP runner that can invoke arbitrary tools and target arbitrary platforms, while the skill is advertised as LinkedIn company analysis only. That mismatch expands the effective capability boundary of the skill, enabling use of unrelated APIs and actions that a user or reviewer would not reasonably expect from the manifest.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Allowing arbitrary --platform selection lets callers access non-LinkedIn backends despite the skill’s narrow stated purpose. In an agent setting, this creates scope creep and can be used to pivot into unrelated data domains or capabilities under the guise of a LinkedIn analysis skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
--list-tools and --schema expose server capability discovery beyond the declared function of the skill. Capability enumeration is not always dangerous by itself, but in a scoped skill it leaks the broader action surface and makes misuse of unrelated tools easier.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill instructs the agent to persist API responses under a local cache directory but does not prominently warn users that potentially sensitive third-party data will be written to disk. Local caching can expose collected company, employee, and job data to other users, processes, backups, or later prompts if the workspace is shared or insufficiently protected.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prompts for a KEYAPI token and silently persists it to a local .env file, which may be readable by other local users, accidentally committed, or harvested by other tooling in the workspace. Storing credentials by default without an explicit opt-in increases the chance of credential exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
API responses are cached to disk by default with no explicit warning, which can store potentially sensitive third-party data locally. In an agent/skill environment, silent local persistence broadens the exposure window and may violate user expectations or data-handling constraints.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
Execute tool calls and persist responses to the local cache to avoid redundant API calls.

**Calling a tool:**

```bash
# Single call with pretty output
Confidence
92% confidence
Finding
tool:*

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal