ClawHub

LinkedIn Skill

Security checks across malware telemetry and agentic risk

Overview

This LinkedIn automation skill is disclosed, but it gives an agent broad power to message, post, change connections, run workflows, and handle account tokens without enough safety boundaries.

Install only if you intentionally want an agent to operate a real LinkedIn account through Linked API. Treat both tokens as secrets, avoid exposing them in chat or logs, confirm every message, InMail, post, comment, reaction, connection change, account switch, reset, and workflow run, and review any workflow JSON before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exposes a generic `workflow run` capability that can execute arbitrary multi-action automation from a file, stdin, or inline JSON, but the manifest description frames the skill as a bounded set of LinkedIn operations. That mismatch is dangerous because downstream agents or users may underestimate the breadth of executable behavior and allow unreviewed workflow content to drive powerful account actions at scale.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Allowing workflow definitions from local files and stdin introduces a broad ingestion surface where arbitrary JSON instructions can be passed into a powerful automation engine. In an agent setting, this increases the risk of prompt-to-tool escalation, unintended execution of attacker-supplied local content, or opaque bulk actions that exceed the user’s expected LinkedIn-only task scope.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill supports state-changing actions such as messaging, posting, reacting, commenting, and connection management, but the documentation does not prominently warn that these operations modify the user’s LinkedIn account and may have external effects. In an autonomous or semi-autonomous agent context, insufficient warning can lead to accidental outreach, reputation damage, or unintended social-engineering style actions on behalf of the user.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The authentication section instructs users to handle Linked API and identification tokens without emphasizing that they are sensitive credentials that grant account access. In an agent environment, users may paste tokens into insecure contexts or logs, enabling credential theft and full misuse of LinkedIn automation capabilities.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented account reset commands can remove the active account or all accounts, but the skill does not warn about irreversible or disruptive effects. Without an explicit warning, an agent or user may invoke destructive commands during troubleshooting and unintentionally delete account configuration or access state.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal