Back to skill

Security audit

LinkedIn Automation Enhanced

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with LinkedIn automation, but it can act on a live LinkedIn account and schedule public activity without strong confirmation or scoping controls.

Install only if you are comfortable with an agent operating through your logged-in LinkedIn session. Review and confirm every post, article, like, and comment before it goes live, avoid unbounded recurring schedules, remove or parameterize the hard-coded LinkedIn profile URL in analytics-extract.sh, and configure DISCORD_WEBHOOK only to a webhook you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares only browser requirements but embeds extensive shell command usage, including piped shell utilities and script execution. This creates a capability mismatch that can cause the agent to invoke undeclared command execution paths, weakening user and platform expectations about what the skill is allowed to do.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description is broad enough to trigger on many generic LinkedIn-related requests, including account-impacting actions like posting and engagement. Over-broad activation language increases the chance the skill is invoked without clear user intent or sufficient safeguards for high-impact actions on a live account.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The top-level description markets broad LinkedIn automation without defining hard boundaries, exclusions, or confirmation requirements before taking external actions. In a skill that can operate against a logged-in social-media account, ambiguous activation increases the risk of unintended posting, engagement, or other irreversible actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages automated posting and engagement on a logged-in LinkedIn account but does not prominently warn about account-impacting risks such as accidental public posting, spam/rate-limit enforcement, or reputational harm. Because the workflow performs actions on a real external account, the absence of clear warnings and confirmation steps makes misuse or accidental harm more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends failure alerts to an externally configured Discord webhook, creating an outbound data channel from a browser-automation script that processes LinkedIn analytics. Even though the current payload is only an error message, webhook destinations are opaque, user consent is not enforced at the call site, and future message content could easily expand to include sensitive account or operational details.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
exit 1
fi

# Output instructions for the agent to execute via browser tool
cat << EOF
📝 LINKEDIN ARTICLE WORKFLOW (Native Long-Form)
═══════════════════════════════════════════════════
Confidence
96% confidence
Finding
Output instructions

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.