Back to skill

Security audit

Linkedin - automation

Security checks across malware telemetry and agentic risk

Overview

This LinkedIn automation skill appears purpose-related, but it can act on a real public account and includes under-scoped automatic posting and persistent service behavior.

Review this carefully before installing. Use it only with a LinkedIn account where you accept automation risk, disable or avoid the cron/webhook auto-posting service unless you have explicit safeguards, and require manual review before any post, repost, edit, or delete action. Prefer a dedicated browser profile and do not run the persistent service with elevated privileges unless you understand how to stop and audit it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Tainted flow: 'STATE_FILE' from os.environ.get (line 9, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def _save_state(state):
    os.makedirs(os.path.dirname(STATE_FILE), exist_ok=True)
    with open(STATE_FILE, "w") as f:
        json.dump(state, f, ensure_ascii=False, indent=2)
Confidence
95% confidence
Finding
with open(STATE_FILE, "w") as f:

Tainted flow: 'STYLE_FILE' from os.environ.get (line 9, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def _save_style(style):
    os.makedirs(os.path.dirname(STYLE_FILE) if os.path.dirname(STYLE_FILE) else ".", exist_ok=True)
    with open(STYLE_FILE, "w") as f:
        json.dump(style, f, ensure_ascii=False, indent=2)
Confidence
92% confidence
Finding
with open(STYLE_FILE, "w") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes environment-variable use and local file writes but does not declare permissions, which weakens user awareness and any permission-gating the platform may rely on. In a skill that automates a logged-in social account and persists browser/session-related state, undeclared file and env access increases the risk of hidden persistence, data leakage, or unexpected side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is LinkedIn automation, but the documented behavior extends to running an HTTP server, mutating local records via webhook endpoints, persisting style profiles, and managing additional state files. That mismatch is dangerous because users may authorize the skill expecting browser automation only, while it also exposes network-reachable control surfaces and broader local data handling that can be abused for unauthorized posting or data manipulation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation claims personal-use-only and warns against scraping, yet it explicitly offers an 'activity' command to scrape another user's activity. This inconsistency normalizes prohibited collection behavior and can lead to privacy violations, account restrictions, or misuse of harvested engagement data.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill states a strict rule to never post or modify content without explicit approval, but later documents automatic edit application and cron-based auto-posting. In the context of a persistent logged-in LinkedIn session, that contradiction is especially dangerous because queued or remotely triggered actions can publish or alter content without real-time user confirmation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Telling agents to use the skill for 'any LinkedIn task' creates an overly broad activation trigger that can cause the skill to be invoked in contexts beyond what the user intended. Because this skill can post, edit, delete, scrape activity, and run scheduled workflows against a real account, over-broad invocation increases the chance of unintended high-impact actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The section describing auto-posting via cron/webhook does not foreground the autonomous nature and risk of publishing from a persistent authenticated session. In this context, insufficient warning makes accidental deployment more likely and can lead to unreviewed public posts, reputational damage, or abuse through exposed workflow endpoints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document describes fully automated posting to an external platform once a scheduled time passes, and also includes privileged installation steps using sudo/systemd, but it does not present explicit safety warnings, authorization requirements, or operator confirmation expectations. In a skill that automates LinkedIn actions with a persistent browser profile, this increases the risk of unintended account activity, policy-violating automation, or unsafe deployment changes by users who may treat the instructions as turnkey.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill collects a user's recent LinkedIn posts and comments, derives a behavioral/style profile, and persists both summary fields and content samples to local disk without any visible consent, notice, retention control, or minimization in this file. In the context of a LinkedIn automation skill using a persistent browser profile, this increases privacy risk because personal content and inferred traits are silently stored and may later be reused or exposed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI exposes destructive actions such as deleting and editing comments, reposting, and posting content with no confirmation gate, dry-run mode, or user-visible warning. In an automation skill using a persistent authenticated LinkedIn session, a mistaken invocation, prompt-injection-driven tool call, or misuse by another component can immediately perform irreversible or reputation-impacting actions on the user's account.

Unpinned Dependencies

Low
Category
Supply Chain
Content
playwright>=1.40.0
Confidence
92% confidence
Finding
playwright>=1.40.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.