Back to skill

Security audit

Linkedin Easy Apply Automation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward LinkedIn job-application automation guide, but it can submit real applications and store local run history, so users should run it carefully.

Install only if you are comfortable letting an agent use your logged-in LinkedIn browser session to prepare and potentially submit applications. Keep DRY_RUN enabled until reviewed, use a dedicated protected browser profile, set low scan/apply limits, review logs for personal data, and delete the profile/state files when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill automates submission of resumes and applicant data to LinkedIn and persists application history locally, but it does not explicitly warn that this transmits personal data to a third party and creates local records that may contain sensitive employment information. In an automation context, users may run this at scale or on shared systems, increasing the chance of unintended disclosure or retention of personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Recommending a persistent browser profile without an explicit warning is risky because such profiles commonly contain authenticated session cookies, saved form data, browsing history, and other sensitive artifacts. If the profile directory is reused, copied, exposed through backups, or stored in an insecure location, it can enable account hijacking or broader privacy compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.