ClawHub

LinkedIn商业情报采集

Security checks across malware telemetry and agentic risk

Overview

This LinkedIn data skill is mostly read-only, but it asks for sensitive API access and includes overbroad personal-data collection plus unrelated fallback routes that users should review before installing.

Install only if you trust the MaxHub API provider and intend to let an agent query LinkedIn-derived business and personal-profile data. Treat MAXHUB_API_KEY as a secret, avoid using this for bulk profiling or unsolicited contact collection, and review the non-LinkedIn fallback instructions before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill claims to be a LinkedIn-only, read-only assistant, but its instructions and downgrade logic reference unrelated Douyin/Xiaohongshu endpoints. This inconsistency undermines trust boundaries and can cause the agent to route user queries or metadata to unintended services, expanding data exposure beyond the declared scope.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documented behavior includes fallback routing to Douyin and Xiaohongshu path patterns despite the manifest describing a LinkedIn assistant. That creates a concrete cross-service execution path where user requests, query terms, and authenticated calls may be sent to unrelated APIs, violating least privilege and potentially breaching user expectations, compliance scope, or data-handling commitments.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file documents LinkedIn group enumeration and post retrieval endpoints even though the stated skill scope focuses on profiles, companies, jobs, posts, comments, and ads. That scope expansion increases data-access surface and can enable collection of semi-public community data without clear user expectation or justification.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README advertises extremely broad trigger terms such as “用户/资料”, “公司/企业”, and “搜索/职位” without any activation constraints, scoping rules, or examples that tie invocation to explicit user intent. In an agent environment, this can cause the skill to activate on ordinary conversation and pull LinkedIn-related data unexpectedly, increasing the risk of over-broad data access and unintended external API calls.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README advertises extremely broad trigger phrases such as “用户, 资料”, “公司, 企业”, and “搜索, 职位”, which are common terms in normal conversation. In an agent environment that routes on natural-language matching, these generic triggers can cause the skill to activate unintentionally and access LinkedIn-related APIs when the user did not explicitly intend to invoke this skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes rich personal-profile retrieval, including experiences, skills, education, interests, follower counts, and related profile cards, without any privacy, consent, retention, or acceptable-use warning. In a LinkedIn data skill, this materially increases the risk of surveillance, profiling, and misuse of personal data at scale.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly instructs use of a bearer token (`Authorization: Bearer $MAXHUB_API_KEY`) but provides no warning about secret handling, storage, redaction, or avoiding exposure in logs and prompts. In an agent skill context, this increases the chance that downstream tools, logs, or users mishandle the API key, leading to credential leakage and unauthorized API access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This endpoint documents retrieval of privacy-sensitive contact data such as email, phone, birthday, address, and connection timing. Although the text says it only returns publicly exposed fields, the documentation lacks a strong warning about handling personal data, consent, downstream use restrictions, and legal/privacy compliance, which increases the risk of misuse for profiling, scraping, or unsolicited contact.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This endpoint exposes LinkedIn user contact information but the documentation does not prominently warn that the returned data may contain sensitive personal information. Even if technically accessible, presenting such an endpoint without clear privacy guidance can facilitate harassment, deanonymization, or bulk collection of personal contact details.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This parameter mapping exposes numerous operations for retrieving personal profile, contact, recommendation, activity, and social graph data, but provides no privacy notice, authorization boundary, or purpose limitation. In a LinkedIn data-query skill, that omission is security-relevant because it normalizes bulk access to sensitive personal information and can enable scraping, profiling, or unauthorized intelligence gathering if integrated without strict controls.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal