ClawHub

Linkedin AI Post Builder and Publisher

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with LinkedIn posting and optimization, but it under-discloses external AI data sharing and handles LinkedIn access tokens unsafely.

Review before installing. Use it only if you are comfortable giving it a LinkedIn token that can publish posts and sending draft content or research notes to Google Gemini. For sensitive drafts, use --no-feedback, avoid putting secrets in research_notes.md, and do not run the token helpers in logged terminals or CI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Tainted flow: 'upload_url' from requests.post (line 135, network input) → requests.put (network output)

Medium
Category
Data Flow
Content
"""Uploads the file content to the registered URL."""
    headers = {"Authorization": f"Bearer {token}"}
    with open(file_path, "rb") as f:
        response = requests.put(upload_url, headers=headers, data=f)
        if response.status_code != 201 and response.status_code != 200:
            console.print(f"[red]File Upload Error:[/red] {response.text}")
            response.raise_for_status()
Confidence
92% confidence
Finding
response = requests.put(upload_url, headers=headers, data=f)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation instructs users to run scripts that use environment variables, perform network access to LinkedIn and Gemini, and read/write local files such as linkedin_history.jsonl, but the skill declares no permissions. This creates a transparency and trust problem: users and any policy enforcement layer cannot accurately assess or constrain the skill's capabilities before use.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill sends draft LinkedIn post content to Google's Gemini API, which is a third-party service outside LinkedIn. That creates a real data exposure/privacy risk, especially because drafts may contain confidential or unpublished business information and the manifest does not clearly justify or disclose this transfer.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Preview mode is presented as non-sending behavior, but the default path still transmits the post text to Gemini unless the user discovers and supplies --no-feedback. This is dangerous because users may reasonably believe preview means no external disclosure, causing accidental leakage of sensitive draft content.

Description-Behavior Mismatch

Medium
Confidence
74% confidence
Finding
The file implements OAuth authorization and token issuance logic, which exceeds the narrowly stated skill purpose of posting updates, tracking analytics, and optimizing content. In an agent-skill setting, adding credential acquisition capability increases the attack surface and could enable the skill to obtain broader account access than users expect.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The script reads developer credentials and exchanges authorization codes for access tokens, which is a sensitive capability not obviously required by the described content-management behavior alone. In a reusable skill, embedding token-generation logic can facilitate unintended credential handling and privilege expansion if the skill is repurposed or invoked unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it posts to LinkedIn, tracks analytics, and optimizes content, but this script only transmits user draft text to Gemini for analysis and rewriting. This capability mismatch is security-relevant because users may disclose sensitive business content under false assumptions about where their data is going and what the tool actually does.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script prints the full LinkedIn access token directly to stdout and instructs the user to copy it into a .env file. In many environments, stdout is captured by shell history, terminal scrollback, CI logs, process monitors, or agent transcripts, which can expose the token to unauthorized parties and enable account/API misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads local research notes from the user's workspace and transmits them to an external LLM API without any explicit user-facing notice, consent prompt, or data sensitivity check. If the notes contain confidential business information, personal data, or unpublished content, the user may unknowingly disclose sensitive material to a third party.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Draft post text is transmitted to Gemini without an explicit warning or consent prompt. In a posting tool, users may paste embargoed announcements, client details, or internal strategy, so silent third-party transmission materially increases confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
User-supplied LinkedIn draft text is sent to an external LLM API with no explicit warning, confirmation, or redaction step. In this skill context, drafts may contain embargoed announcements, client details, internal metrics, or other sensitive business information, so silent transmission to a third party creates a real confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal