Linkedin Profile Audit

Security checks across malware telemetry and agentic risk

Overview

This skill can read and edit your LinkedIn profile through your logged-in browser, but that behavior is disclosed, purpose-aligned, and not hidden in packaged code.

Install only if you are comfortable letting an agent automate your logged-in LinkedIn session. Review proposed edits before saving, keep a backup of original descriptions, and delete local review or memory files if they contain sensitive personal career details.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documentation materially understates the skill's network behavior by claiming no data is sent to external servers, even though the automated browser session reads from and writes to linkedin.com. This is dangerous because it can mislead users and reviewers about where sensitive profile data is processed and whether live account modifications occur, reducing informed consent and weakening risk assessment.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: Describing the network path as 'local Chrome session only' obscures the fact that the automation performs real-time operations against a live third-party service. That mismatch can cause operators to treat the skill as effectively offline/local when it actually has account-changing external effects, increasing the chance of unsafe use and insufficient review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal