linkedin-personal-branding
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes high-capability browser automation tools through Chrome DevTools and Playwright MCPs (e.g.,
mcp__chrome-devtools__navigate_page,mcp__chrome-devtools__click,mcp__chrome-devtools__take_snapshot). These tools are used to interact with the user's active, logged-in LinkedIn session to extract profile data, analytics, and Social Selling Index (SSI) scores. - [PROMPT_INJECTION]: An indirect prompt injection surface is present because the skill is designed to ingest and analyze unstructured data from external LinkedIn profiles (About sections, posts, headlines). This content is attacker-controllable and could contain malicious instructions meant to influence the agent's behavior.
- Ingestion points: Data is ingested from various profile sections and activity pages via
take_snapshotandtake_screenshotas described inSKILL.md. - Boundary markers: Absent. The instructions do not include delimiters or specific guidance for the agent to ignore instructions that might be embedded within the processed profile data.
- Capability inventory: The skill possesses significant capabilities, including the ability to navigate to arbitrary URLs, click elements, and take screenshots/snapshots of the browser session.
- Sanitization: Absent. There is no mention of filtering, escaping, or validating the external content before the agent processes it for the branding report.
- [DATA_EXFILTRATION]: The skill is explicitly instructed to access and analyze sensitive private data, including the user's Social Selling Index and internal profile analytics. While no evidence of unauthorized external data transmission was found, the agent is handling high-value personal and professional information (PII).
Audit Metadata