Back to skill

Security audit

Keyapi Linkedin User Analytics

Security checks across malware telemetry and agentic risk

Overview

This LinkedIn analytics skill appears purpose-related, but it grants broad KeyAPI tool access while caching personal profile data and saving an API token in plaintext without adequate disclosure or controls.

Review carefully before installing. Use it only for lawful, consented LinkedIn research, avoid collecting unnecessary contact details, delete cached profile data when finished, and do not let the runner save your KEYAPI token in a project .env file unless you have confirmed file permissions and git ignore coverage. Prefer a version that restricts tools to LinkedIn-only operations and makes caching/token persistence opt-in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The runner is explicitly designed to call any KeyAPI MCP tool on arbitrary platforms, while the skill is presented as a LinkedIn user analytics capability. That scope mismatch creates an overbroad capability surface: users or downstream agents may invoke unrelated tools and platforms not justified by the manifest, enabling unintended data access or actions beyond the declared purpose.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Tool and schema enumeration exposes the full MCP server capability set, which can aid discovery of sensitive or higher-risk operations unrelated to LinkedIn analytics. In an agent setting, introspection materially lowers the barrier to capability probing and expands misuse potential beyond the advertised skill scope.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to retrieve contact information and extensive professional-profile data, yet it provides no privacy warning or handling guidance. This increases the risk of collecting, profiling, and sharing personal data without informed user consent or appropriate data-minimization expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow instructs persistent local caching of retrieved LinkedIn data, but does not warn users that personal data will be stored on disk or define retention controls. This is dangerous because cached contact and profile data can be exposed to other local users, backups, logs, or later unintended reuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prompts for a KEYAPI token and writes it to a local .env file automatically, without a clear consent prompt or warning about persistence. This increases the chance of credential exposure through accidental commit, insecure file permissions, shared workspaces, or later exfiltration by other processes reading the project directory.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instructions explicitly direct the agent to persist and process broad sets of personal and contact data from LinkedIn profiles. In context, this creates a real privacy and data-handling risk because the skill operationalizes bulk profiling and local storage without meaningful minimization or need-to-know constraints.

Ssd 3

Medium
Confidence
93% confidence
Finding
The reporting guidance encourages broad disclosure of profile, credential, reputation, and interest data in final outputs. That is risky because it normalizes compiling and redistributing detailed dossiers about individuals, potentially beyond the user's legitimate need and without any privacy safeguards.

Credential Access

High
Category
Privilege Escalation
Content
reject(new Error("No token entered. Set KEYAPI_TOKEN and try again."));
        return;
      }
      const envPath = join(ROOT, ".env");
      writeFileSync(envPath, `KEYAPI_TOKEN=${token}\n`, "utf8");
      log(`[token] Saved to ${envPath} — future runs will load it automatically`);
      process.env.KEYAPI_TOKEN = token;
Confidence
97% confidence
Finding
.env"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.