ClawHub

Linkedin - automation

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it can act through a logged-in LinkedIn session and includes an unauthenticated local webhook that can alter scheduled public posts.

Install only if you are comfortable giving the skill access to a logged-in LinkedIn browser profile. Use a dedicated browser profile, avoid running the webhook/cron/systemd workflow until it has authentication and restricted CORS, review every public action before execution, and avoid third-party activity scraping unless you have a clear permitted basis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Tainted flow: 'STATE_FILE' from os.environ.get (line 9, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def _save_state(state):
    os.makedirs(os.path.dirname(STATE_FILE), exist_ok=True)
    with open(STATE_FILE, "w") as f:
        json.dump(state, f, ensure_ascii=False, indent=2)
Confidence
94% confidence
Finding
with open(STATE_FILE, "w") as f:

Tainted flow: 'STYLE_FILE' from os.environ.get (line 9, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def _save_style(style):
    os.makedirs(os.path.dirname(STYLE_FILE) if os.path.dirname(STYLE_FILE) else ".", exist_ok=True)
    with open(STYLE_FILE, "w") as f:
        json.dump(style, f, ensure_ascii=False, indent=2)
Confidence
91% confidence
Finding
with open(STYLE_FILE, "w") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation exposes capabilities to read environment variables and write local files, but it does not declare permissions accordingly. This weakens user understanding and governance around what the skill can access, especially because it also persists state and operates a webhook-backed workflow.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes well beyond ordinary LinkedIn posting automation and includes a standalone webhook server, local file mutation, arbitrary content-calendar updates, style profiling, and scraping another user's activity. This mismatch prevents informed consent and can conceal higher-risk behaviors behind an apparently narrower automation description.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill states that posting actions must never occur without explicit user approval, yet the content-calendar workflow allows automatic posting via cron after approval. That inconsistency can lead agents or operators to over-trust the safeguard and trigger actions without fresh confirmation at execution time.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The disclaimer says the skill should not be used for scraping other users' data, but the documented activity command explicitly scrapes another person's LinkedIn activity. This contradiction normalizes prohibited or privacy-invasive behavior and increases the chance of misuse against third parties.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Telling users to invoke the skill for 'any LinkedIn task' is overly broad and encourages use beyond the reviewed safety boundary. In a skill that can post, delete, scrape, persist data, and run automation workflows, broad invocation language materially increases the chance of unsafe or unintended actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description omits a prominent warning that it can scrape another person's LinkedIn activity. That omission reduces transparency for users and reviewers, who may enable the skill without realizing it includes third-party data collection behavior with privacy and policy implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly describes autonomous publication to LinkedIn once a post is marked approved and its scheduled time has passed, but it does not mention any user-facing warning, confirmation boundary, or operational safeguard around external posting. In a skill that uses persistent browser automation against a real LinkedIn account, this increases the risk of unintended or unauthorized public posting if approval state, schedule data, or webhook inputs are manipulated or misunderstood.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The POST webhook accepts unauthenticated JSON and persists it directly into action logs and content-calendar state, including changing post status and recording edit requests. Because it also enables wildcard CORS, any website visited by a local user could issue cross-origin requests to this localhost service and tamper with scheduled LinkedIn content or trigger workflow actions.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The PUT handler allows arbitrary overwriting of stored post fields with no authentication, authorization, or integrity checks. In the context of a LinkedIn automation skill, this is especially dangerous because an attacker able to reach localhost—potentially via browser-based cross-origin requests due to permissive CORS—can alter content, images, tags, or status and thereby manipulate or sabotage outbound social-media publishing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The delete_comment function performs a destructive LinkedIn action immediately after matching comment text, with no explicit confirmation step, dry-run mode, or secondary validation of the exact target. In an automation skill that operates on a live persistent browser session, a bad match, UI drift, or caller mistake could cause unintended permanent deletion of comments, including business-critical or user-authored content.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This function automates scraping of a LinkedIn profile's recent activity using an authenticated persistent browser session, but it contains no consent check, authorization guard, or user-facing disclosure before collecting another user's posts. In the context of a LinkedIn automation skill, that makes privacy-invasive collection easier to perform at scale and increases the risk of misuse, policy violations, or unauthorized monitoring of individuals.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function persists a style profile containing profile identifiers, sample posts, and sample comments to local disk, but there is no consent prompt, disclosure, retention control, or protection of the stored file. In this skill's context, that creates privacy and data-handling risk because LinkedIn content is being scraped from an authenticated session and then retained locally where other users, processes, backups, or logs may access it.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code automatically scans the user's recent posts and comments from a logged-in LinkedIn session to infer behavioral/style characteristics, but it does so silently. In an automation skill that uses a persistent browser profile, this is more sensitive than ordinary scraping because it leverages authenticated access and analyzes personal content without an explicit just-in-time notice or approval step.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal