ClawHub

Linkedin Content Optimizer Engagement Booster

Security checks across malware telemetry and agentic risk

Overview

This LinkedIn growth skill is not malicious, but it asks for sensitive LinkedIn and outreach authority without enough privacy, consent, or control boundaries.

Install only if you can keep the workflow tightly controlled: use least-privilege tokens, avoid broad exports or CRM syncs unless authorized, review every message and recipient before sending, and ensure LinkedIn terms, privacy obligations, consent, retention, and opt-out handling are addressed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The skill proposes collecting profile-view and related behavioral data for re-engagement analysis without clearly establishing necessity or proportionality. Behavioral tracking of this kind can expose sensitive relationship and interest signals and may violate user expectations, platform rules, or internal privacy requirements if over-collected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes access to LinkedIn data and transmission to OpenAI, Google Sheets, Slack, and HubSpot, but does not warn users about privacy implications, third-party processing, or potential exposure of personal and engagement data. This omission increases the risk of uninformed consent, inappropriate sharing, and regulatory noncompliance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages highly personalized outreach using prospect activity, liked posts, and mutual connections without addressing privacy, consent, or anti-spam boundaries. In context, this makes misuse more likely because the feature is explicitly designed to operationalize personal behavioral data into outbound messaging campaigns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal