Back to skill
Skillv1.0.0
VirusTotal security
linkedin-candidate-search · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 8:01 AM
- Hash
- 67cdd10fd2d7ba2305bd10ca495c07dc3df6c767d1ef39273e5c83c846aa9dd7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: linkedin-candidate-search Version: 1.0.0 The skill bundle contains high-risk instructions in `skill.md` that direct the user to copy their entire Chrome profile—including sensitive files like `Cookies` and `Login Data` (which stores encrypted passwords)—into a temporary directory (`/tmp/chrome_debug_profile`). While this is framed as a method to maintain LinkedIn login state for automation, it unnecessarily exposes the user's credentials and session tokens. Additionally, the skill contains hardcoded local file paths (e.g., `/Users/junye/project/test-case/linkedin-zp`), indicating it may be an internal tool or poorly generalized script with significant security trade-offs.
- External report
- View on VirusTotal