linkedin-recruiting
Pass
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It ingests untrusted data from LinkedIn profiles, email digests, and resumes, which is then interpolated directly into the prompt context for the LLM during the triage process in
lr/triage.py. - Ingestion points: LinkedIn applicant names, headlines, locations, screening question answers (extracted in
lr/ingest_applicants.py), and resume text excerpts. - Boundary markers: Absent. The triage prompt template (
prompts/triage_batch.tmpl) and system prompt do not utilize specific delimiters or instructions to ignore instructions embedded within the candidate data. - Capability inventory: The skill has the capability to write to the local file system (Obsidian vault), execute shell commands via
subprocess.run, and perform browser automation via Playwright. - Sanitization: The skill does not perform specific sanitization or filtering of the external content before passing it to the model, relying only on standard JSON serialization.
- [COMMAND_EXECUTION]: The skill uses
subprocess.runinlr/claude_client.pyandlr/shell.pyto execute system commands. It specifically calls theclaudeCLI with the--dangerously-skip-permissionsflag to automate model interactions and interacts with sibling skills likegmail-skill. It also performs dynamic JavaScript execution within a browser context viapage.evaluateinlr/ingest_applicants.pyto extract applicant details and fetch resume data. - [DATA_EXFILTRATION]: The skill accesses a local Obsidian vault (
VAULT_ROOT) and potentially sensitive files such asComp Analysis.mddefined inlr/config.py. While this is part of its recruiting workflow, it involves reading from and writing to sensitive user directories. Additionally, applicant data and resume excerpts are transmitted to an external LLM provider for analysis.
Audit Metadata