Back to skill

Security audit

Maxhub Linkedin

Security checks across malware telemetry and agentic risk

Overview

This read-only LinkedIn data skill is not malware, but it can collect personal/contact data through a third-party API with broad routing and weak consent gates, so it should be reviewed before installation.

Install only if you are comfortable sending LinkedIn identifiers, search terms, URLs, and possible contact/profile data to MaxHub at aconfig.cn. Use it for authorized business or recruiting research, avoid bulk people/contact harvesting, do not provide production cookies or session tokens, and require explicit user confirmation before any contact-info or person-profiling lookup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a public LinkedIn data query tool, but the documentation expands scope to collecting contacts, private messages, and closed-group discussions. That mismatch can cause an agent or operator to send highly sensitive personal data to a third-party service without clear authorization boundaries, increasing privacy, compliance, and platform-abuse risk.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The documented use cases include lead generation and background investigation, which encourage profiling and contact discovery involving personal career data. In a skill that transmits identifiers, keywords, URLs, and optional cookies/tokens to a third party, these scenarios materially raise the chance of unauthorized surveillance, excessive collection, or misuse beyond a minimum-necessary purpose.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The top-level description says the skill queries public LinkedIn data, but later sections state that returned data may include private messages and contacts. This contradictory trust signal is dangerous because agents may treat the tool as low-risk/read-only public-data access while actually handling much more sensitive personal content through a third-party API.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file instructs the agent to perform local package-management and shell-based update actions such as running CLI tools, changing directories, pulling from git, and reinstalling the skill. These actions exceed the skill’s declared read-only LinkedIn data-query purpose and create a path for an agent to modify the local environment or fetch unreviewed code from external sources, which is dangerous if followed automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises access to LinkedIn contact information, employee lists, and other profile data, but it does not clearly warn that these are privacy-sensitive data types or that queries are sent to a third-party service at aconfig.cn. In a skill intended for market research and recruiting, this omission can lead users or downstream agents to collect, transmit, or retain personal data without adequate notice, minimization, or authorization controls.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation scope is broad and generic, using intents like query, analyze, search, chain, and report without clear exclusions for sensitive-person data scenarios. Broad activation criteria increase the chance an agent invokes this skill in contexts involving personal profiling or data export when a narrower, safer tool or a refusal would be more appropriate.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The index enumerates many person-centric endpoints, including profile, posts, comments, contact info, education, skills, and employee lists, but presents them only as low-risk read-only atoms without any visible privacy, authorization, or data-minimization warning in the file itself. In this skill’s context, that can normalize broad collection of professional personal data and increase the chance an agent chains sensitive lookups or contact-data retrieval without sufficient user consent or purpose limitation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document describes employee-list endpoints and even notes that returned usernames can flow into other files, but it does not warn that these outputs are personal identifiers tied to individual professionals. In a skill explicitly used for market research, recruiting leads, and intelligence gathering, this omission increases the risk of bulk profiling, unauthorized people search, and downstream misuse of personal data.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The file shows bearer-token authentication via an environment variable but gives no handling guidance for secrets such as avoiding logging, echoing, or embedding the token in prompts and outputs. While this is common documentation, in agent skills it can still contribute to accidental credential exposure through traces, debugging, or unsafe tool wrappers.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Several trigger phrases such as “找人”, “找工作”, “hashtag”, and similar short natural-language terms are broad enough to match ordinary user requests that may not clearly indicate consent to query LinkedIn-style public profile, job, or post data. In this skill, accidental recipe selection can cause the agent to retrieve or chain additional professional and personal data from MaxHub without sufficient disambiguation, increasing privacy and over-collection risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "竞争对手" is broad and can match ordinary business conversation that does not necessarily request competitor-analysis enrichment. In this skill, that broad matching is more sensitive because the recipe chains into company profile and competitor data retrieval, which can cause over-collection of third-party business intelligence beyond the user's precise intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase set for the search-posts recipe includes broad natural-language wording such as '找帖子' and '领英文章', which can cause the agent to invoke LinkedIn post-search behavior from vague user requests that do not clearly express intent to search public social content. In a skill that accesses professional-profile and post data, oversensitive routing increases the chance of unnecessary data retrieval and over-collection beyond the user's actual request.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The hashtag recipe can be activated by generic wording like 'hashtag' or '标签帖子', which may match casual mentions of tags rather than a clear request to enumerate social posts. Because the skill queries public professional-social data, low-specificity activation can lead to unintended collection of topical post feeds that the user did not explicitly ask for.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough that the skill may activate on general job-seeking or LinkedIn-related requests without clear user intent or scope checks. In a skill that queries public professional and potentially personal employment data, ambiguous activation increases the chance of unnecessary data retrieval, over-collection, or use outside the user's intended task.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases for this recipe include very broad everyday language such as “找人”, which can match many ordinary user requests and route them into a people-search capability without sufficiently clear user intent. In this skill’s context, that increases the chance of unnecessary retrieval of personal professional data from LinkedIn-like sources, creating privacy and data-minimization risks even though the API is nominally read-only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly exposes endpoints for retrieving user contact information and labels the returned data as PII, but it does not pair those capabilities with concrete privacy, consent, or purpose-limitation requirements at the endpoint level. In a LinkedIn people-data skill, this increases the risk that an agent will collect or disclose personal contact data for lead generation, profiling, or outreach without verifying authorization or necessity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The V2 endpoint list includes a direct contact-information endpoint marked as returning PII, yet the surrounding guidance still frames risk as low and does not require a privacy gate before invocation. That mismatch can normalize sensitive-data access and lead downstream agents to treat personal contact retrieval as routine read-only data access rather than a controlled operation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.