Linkedin Thread Engagement

Security checks across malware telemetry and agentic risk

Overview

This LinkedIn monitoring skill is coherent, but it may send profile and comment activity to an external API and can delegate replies to an auto-posting backend without a clear approval gate.

Review before installing if you connect real LinkedIn or publishing accounts. Prefer a manual copy-paste backend unless you explicitly want automated posting, require approval for every public reply or DM, and verify what HarvestAPI, Publora, and linkedin-reply-handler receive, store, and can do with your account data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs collection of the user's LinkedIn comments and thread activity through an external API, but does not clearly warn the user that their social activity will be fetched, analyzed, and potentially used to draft replies or route to DM. This creates a transparency and privacy-consent problem: users may expose profile activity and engagement data to a third-party service without informed awareness, increasing privacy, compliance, and trust risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal