Is foontinz/linkdapi safe?
https://github.com/openclaw/skills/tree/main/skills/foontinz/linkdapi
The foontinz/linkdapi skill is functionally coherent and installs cleanly with no executable code in the repository, no git hooks, and clean network behavior during clone. The primary risks are commercial and privacy-oriented: all LinkedIn data queries are routed through the third-party linkdapi.com service (which the skill author has financial incentive to promote via an embedded referral code), and the linkdapi PyPI package executes with agent-level permissions on every invocation and can be silently updated. No prompt injection techniques were detected and canary file integrity was maintained.
Category Scores
Findings (7)
HIGH All API queries routed through commercial third-party -25 ▶
Every LinkedIn profile lookup, company search, job query, and contact info request executed by the agent is sent to linkdapi.com servers. The skill author controls this service and has financial incentive to grow usage. There is no documentation of data retention, logging, or privacy policy referenced in the skill. Users should assume their professional data lookups may be logged and aggregated by the service operator.
HIGH PyPI supply chain risk via linkdapi package -20 ▶
The skill instructs the agent to download and execute the linkdapi package from PyPI on every invocation using uv run. This package is published by the skill author (or an affiliated party) and can be updated at any time without modifying SKILL.md. A malicious update to the PyPI package would automatically affect all future agent invocations without any detectable change to the installed skill.
MEDIUM Embedded monetization referral link -12 ▶
The skill contains an affiliate/referral code in the sign-up URL: https://linkdapi.com/signup?ref=K_CZJSWF. This creates a financial incentive for the skill author each time a user signs up. While disclosed and not technically injection, it establishes that the skill author has ongoing commercial interest in the skill's adoption and usage patterns, creating a conflict of interest in how the skill is designed and updated.
MEDIUM Contact PII exposed through third-party service -15 ▶
The skill exposes a get_contact_info(username) method that retrieves email addresses, phone numbers, and personal websites from LinkedIn profiles. This sensitive contact PII is transmitted to and processed by the third-party linkdapi.com service, where it may be logged or retained without the subject's knowledge.
MEDIUM Silent capability expansion via mutable PyPI dependency -20 ▶
Because the linkdapi package is fetched from PyPI at execution time and the skill instructs the agent to normalize arbitrary script execution via uv run, the skill author can expand the capability of the skill at any time by updating the package. This could include adding telemetry, modifying request logging, or introducing data collection without the user's awareness.
LOW Canary files accessed during install window -5 ▶
Filesystem and auditd monitoring recorded open/access syscalls on all six canary files (.env, id_rsa, .aws/credentials, .npmrc, docker/config.json, gcloud credentials) during the install window. Analysis of the audit trail and the ✅ canary integrity verdict indicates these accesses are attributable to the oathe monitoring system performing baseline scans, not to the skill install process itself. Logged for completeness.
LOW Normalizes /tmp script execution pattern -8 ▶
The Agent Workflow section establishes a pattern where the agent writes Python scripts to /tmp, executes them, and deletes them. While the workflow itself is functional, normalizing this pattern in an agent's operational context could make it easier for future prompt injections or malicious tool call responses to convince the agent that writing and executing arbitrary scripts is standard operating procedure.