ClawHub

LinkedIn Jobs

Security checks across malware telemetry and agentic risk

Overview

This skill coherently searches LinkedIn jobs and can optionally save local search profiles for repeated checks, with no evidence of hidden credential use or unrelated data access.

Install only if you are comfortable with LinkedIn job scraping, repeated network checks when you explicitly enable monitoring, and local files storing your saved searches and seen job IDs. Confirm before creating schedules, removing profiles, or clearing history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README explicitly promotes automated cron-based monitoring and documents persistent tracking files, but it does not clearly warn users that the skill may run in the background and store local job-search history over time. This is a real transparency and privacy issue: users may unknowingly enable recurring activity or leave behind sensitive preference/location data on disk, even though the behavior is not inherently malicious.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The intent mapping is broad enough that ordinary job-search phrases can trigger execution of scraping or profile-management actions without clear boundaries or confirmation. In an agent environment, this raises the risk of overbroad invocation, unintended network requests, and unintended persistent changes such as adding monitoring profiles.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented commands include destructive operations such as removing profiles and clearing job history, but there is no guidance to confirm with the user before executing them. This can lead to accidental loss of saved searches or deduplication state, especially if the agent maps ambiguous user requests directly to commands.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill promotes hourly cron-based monitoring without warning that this creates ongoing background execution and repeated outbound network access. While expected for monitoring, the lack of disclosure makes the persistence and resource/network implications less visible to users and increases the chance of unintended continuous activity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal