Publora Linkedin

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Publora LinkedIn API guide, but it can perform real LinkedIn posting, commenting, reacting, scheduling, and deletion actions.

Install only if you want an agent to help operate LinkedIn through Publora. Store the Publora API key securely, use the least-privileged connected account practical, and require explicit confirmation of account, content, target post/comment/reaction, deletion target, and scheduled time before any mutating request is made.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill enables posting, scheduling, and deletion actions against a live LinkedIn account but does not include an explicit warning or confirmation requirement before performing state-changing operations. In an agent context, this increases the risk of unintended publication or destructive actions if the user request is ambiguous or the agent acts too eagerly.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The analytics endpoints retrieve account and post performance data through a third-party API, but the skill does not warn that potentially sensitive business metrics are being transmitted and viewed. This can lead to privacy and data-governance issues, especially in enterprise environments where analytics access should be intentional and scoped.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal