ClawHub

linkedin-candidate-search

Security checks across malware telemetry and agentic risk

Overview

The skill’s LinkedIn search purpose is clear, but it asks users to copy sensitive Chrome session/profile files and stores scraped candidate profile data locally without enough guardrails.

Review before installing. Use a dedicated Chrome profile created only for this workflow, log into LinkedIn manually there, avoid copying your main Chrome Cookies or Login Data, close the remote-debug Chrome process after use, and delete both the temporary browser profile and saved candidate files when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly automates scraping and persistent storage of LinkedIn candidate profiles under local directories, but it does not present a meaningful user-facing consent notice, retention policy, or data minimization controls. Because the saved files include profile URLs and inferred employment attributes, this creates privacy and compliance risk from collecting and retaining personal data without clear disclosure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the operator to copy Chrome profile artifacts including Cookies, Login Data, Web Data, Preferences, and Local State into a debug profile and use that profile to access LinkedIn. This exposes authenticated browser data and potentially sensitive tokens or stored secrets without an adequate privacy or security warning, increasing the risk of session compromise and unintended access to account data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal