Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill instructs users to store sensitive LinkedIn credentials (email and password) in a plaintext file (
community-pulse/skills/linkedin/.env.profiles.local). Storing secrets in unencrypted local files is a high-risk practice as any other process or compromised skill with filesystem access can read them. - [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted data from the web using
read_pageandget_page_texton LinkedIn posts. - Ingestion points: LinkedIn post content and comments read in
references/research.mdandreferences/engage.md. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present when the agent evaluates posts or drafts comments.
- Capability inventory: The skill has browser control capabilities (
computer,form_input,navigate) and filesystem access. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from LinkedIn before it is processed by the LLM.
- [COMMAND_EXECUTION] (SAFE): The skill uses Browser MCP tools to automate web navigation and interaction. This behavior is consistent with the skill's primary purpose. Security risk is mitigated by mandatory human-in-the-loop checkpoints ('ASK USER FOR APPROVAL') before sensitive actions like logging in or posting content.
Recommendations
- AI detected serious security threats
Audit Metadata