ClawHub

LinkedIn

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed LinkedIn connector skill that uses OOMOL's CLI, with setup and account-access risks the user should understand before enabling it.

Install only if you want an agent to use your OOMOL-connected LinkedIn account. Confirm any action that posts, edits, comments, or otherwise changes LinkedIn content, and review the oo CLI installer before running the curl-to-shell setup command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
97% confidence
Finding
The description says to use this skill for "ANY LinkedIn request" and "Whenever a task involves LinkedIn," which is extremely broad and overlaps with many common tasks involving the site. It does not provide boundaries, exclusions, or negative examples to clarify when the skill should or should not activate.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
90% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal