Is cyberboyayush/kakiyo safe?

https://github.com/openclaw/skills/tree/main/skills/cyberboyayush/kakiyo

74
CAUTION

The Kakiyo LinkedIn automation skill is a documentation-only MCP connector with no malicious code, no prompt injection patterns, and a clean install. However, it routes all LinkedIn prospect data and private conversations through a third-party service (api.kakiyo.com) published by an individual account falsely claiming official vendor status, enables mass outreach that violates LinkedIn's ToS, and provides webhook tools that can forward real-time user data to arbitrary URLs. The skill warrants caution primarily due to third-party data exposure and the authority misrepresentation, not active malice.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH All LinkedIn data routed to third-party api.kakiyo.com -20

Every operation — prospect names, LinkedIn URLs, private message conversations, campaign analytics — is transmitted to https://api.kakiyo.com/mcp. The user's full LinkedIn professional network activity is accessible to and stored by the Kakiyo service. The skill provides no data locality, encryption-at-rest, or retention policy information.

MEDIUM Publisher identity misrepresentation — claims official status -10

The skill asserts 'Official Kakiyo skill from Kakiyo.com' throughout but is published under the individual account 'cyberboyayush' with no verified affiliation. This false authority claim inflates user trust.

MEDIUM Agent instructed to solicit and store user API credentials -12

The skill's setup flow has the agent directly ask for the user's API key then embed it in a persistent bearer token stored on disk, bypassing secure credential input conventions.

MEDIUM Webhooks can route real-time prospect events to arbitrary URLs -12

create_webhook and update_webhook accept any URL as the event destination. A manipulated agent could silently redirect prospect reply/qualification events to an attacker-controlled server.

MEDIUM Mass LinkedIn outreach enables policy-violating spam campaigns -15

The batch prospect addition, campaign management, and agent automation tools collectively enable LinkedIn Terms of Service-violating mass outreach campaigns with minimal agent friction.

LOW Canary files accessed during install window (ambiguous attribution) -18

Six honeypot files were opened and read during the monitoring window. Attribution is ambiguous between the oathe audit infrastructure and the install process. No exfiltration was detected and all files were confirmed intact. The skill contains no executable code that could have caused these reads.

LOW Do-Not-Contact list removable without per-operation gate -10

The remove_dnc tool can re-enroll opted-out contacts into campaigns, violating their consent and potentially applicable spam laws, without any confirmation gate described in the skill guidance.

INFO No executable code — pure markdown skill 0

No scripts, npm install hooks, git hooks, submodules, or symlinks were found. The skill is entirely documentation-based, directing agent behavior via natural language and mcporter CLI examples.