Is linkedin safe?

https://clawhub.ai/biostartechnology/linkedin

72
CAUTION

This LinkedIn automation skill contains no malicious code or explicit prompt injection, but it creates a significant risk surface by granting an AI agent browser control over an authenticated LinkedIn session. The instruction to extract and store the li_at session cookie is particularly concerning. Safety guardrails are advisory-only with no enforcement mechanism, and the skill's capabilities could be weaponized by a co-installed malicious skill.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

HIGH Authenticated session exposure to AI agent -25

The skill grants an AI agent full browser control over a user's authenticated LinkedIn session. This includes access to private messages, connection lists, profile data, salary discussions, and recruiter conversations. The 'safety rules' are soft guidelines that an agent may not reliably follow, especially under prompt injection.

HIGH Session cookie extraction instruction -20

The skill instructs the agent to extract and store the li_at LinkedIn session cookie. This cookie provides full account access and, if stored insecurely or accessible to other skills, constitutes a credential theft vector.

MEDIUM Implicit broad permission scope -15

While the skill claims to be for 'messaging, profile viewing, and network actions,' it provides browser automation patterns that could be used for any LinkedIn action including accepting connections, endorsing skills, posting content, or changing account settings. The scope is effectively unlimited.

MEDIUM No enforcement of rate limits or safety rules -15

The skill states rate limits (30 actions/hour) and safety rules (confirm before sending) but these are purely advisory text. Nothing in the skill architecture enforces these constraints, leaving compliance entirely to the agent's judgment.

MEDIUM Potential for cross-skill weaponization -15

If a malicious skill is installed alongside this one, it could instruct the agent to use the LinkedIn browser session to harvest data, send messages, or extract the li_at cookie. The LinkedIn skill creates the capability; another skill could exploit it.

LOW Agent runtime accesses sensitive files during initialization -10

During the install phase, the agent runtime accessed .env, .aws/credentials, and agent auth profiles. While this appears to be runtime behavior (not skill-initiated), it demonstrates that the execution environment has access to sensitive credentials.

INFO No executable code in skill 0

The skill contains only markdown instructions and JSON metadata. No scripts, hooks, submodules, or symlinks are present. The risk surface is entirely in what the agent is instructed to do, not in code execution.