Security Audit: outlook-delegate + linkedin-connect/dm — email impersonation meets social engineering at scale #7
Description
AgentWard Security Audit: Email Impersonation + Social Engineering Chain
Scanned by: AgentWard v0.2.5
Skills analyzed: outlook-delegate (by 87marc), linkedin-connect + linkedin-dm (by 10madh)
Source: 87marc, 10madh
Summary
These skills enable an agent to impersonate a user via email (Send As / Send on Behalf) and conduct mass LinkedIn outreach — connecting with targets and sending personalized DMs. Individually concerning; together they form a complete social engineering pipeline.
| Skill | Severity | Tools |
|---|---|---|
outlook-delegate |
5 | |
linkedin-connect |
9 | |
linkedin-dm |
7 |
Skill Chaining Risk
The chain: linkedin-connect → linkedin-dm → outlook-delegate
linkedin-connectbulk-connects with targets from a spreadsheet — handles profile discovery, stale URL fallback via Google search, and anti-detection with randomized delayslinkedin-dmsends personalized messages to connections — with "relationship analysis per person" to craft contextual messagesoutlook-delegatesends emails as the mailbox owner ("Send As") — recipients see the email coming from the owner with no indication of delegation
Attack scenario: An agent with these three skills could:
- Mass-connect with a target list on LinkedIn (hundreds of people)
- Send personalized DMs to warm up the relationship
- Follow up via email, impersonating the mailbox owner — recipients see a legitimate-looking email from a real person they recently connected with on LinkedIn
The anti-detection features make this worse:
linkedin-connecthas "rate limiting / anti-detection" capabilities with randomized delays- It uses both Chrome Browser Relay and OpenClaw isolated browser to avoid detection
linkedin-dmhas explicit "antidetection_rules" for evading LinkedIn's automation detection- The skill explicitly handles accounts "flagged for automation"
Individual Findings
outlook-delegate:
- All 5 tools rated
⚠️ HIGH — financial operations with value transfer risk security_considerationsandrevoking_accessare destructive (can delete/modify data irreversibly)- Supports three sending modes: As Self, As Owner (Send As), On Behalf Of
- AgentWard recommends requiring human approval for destructive tools
linkedin-connect:
connecting_on_a_profile—⚠️ HIGH: executes connection requests via browser automationthreetier_profile_discovery_priority_order—⚠️ HIGH: multi-tier discovery including Google search fallback- Includes browser profile management and rate limiting
linkedin-dm:
message_structure—⚠️ HIGH: crafts personalized outreach messagessending_flow_per_person—⚠️ HIGH: automated DM sending pipeline- Includes CRM tracking via Google Sheets and batch preview before sending
Recommendations
For users of these skills:
pip install agentward
agentward initAgentWard can enforce skill chaining rules to prevent this combination:
skill_chaining:
- linkedin-connect cannot trigger outlook-delegate
- linkedin-dm cannot trigger outlook-delegate
- outlook-delegate cannot trigger linkedin-connect
- outlook-delegate cannot trigger linkedin-dm
require_approval:
- outlook-delegate:security_considerations
- outlook-delegate:revoking_access
- linkedin-connect:connecting_on_a_profile
- linkedin-dm:sending_flow_per_personFor skill developers:
- outlook-delegate: The "Send As" mode is particularly dangerous — recipients cannot distinguish the email from one the owner actually sent. Consider requiring explicit human approval before every send, and logging all sent emails to an audit trail.
- linkedin-connect / linkedin-dm: The anti-detection features (randomized delays, browser relay, handling flagged accounts) suggest these skills are designed to bypass LinkedIn's ToS enforcement. Consider documenting the ToS implications clearly and adding rate limits that cannot be overridden by the agent.
Full Reports
outlook-delegate permission map (5 tools)
| Tool | Capabilities | Risk | Why |
|---|---|---|---|
outlook-delegate:delegate_architecture |
read,write | Financial operations — value transfer risk | |
outlook-delegate:sent_items_behavior |
read,write,read | Financial operations — value transfer risk | |
outlook-delegate:security_considerations |
read,write,del | Financial operations — value transfer risk | |
outlook-delegate:revoking_access |
read,write,del | Financial operations — value transfer risk | |
outlook-delegate:files |
read | Financial operations — value transfer risk |
linkedin-connect + linkedin-dm permission map (16 tools)
| Tool | Capabilities | Risk | Why |
|---|---|---|---|
linkedin-connect:preflight_checklist |
read | ✅ LOW | |
linkedin-connect:browser_profile |
read,write | ||
linkedin-connect:data_file_setup |
read | ✅ LOW | |
linkedin-connect:threetier_profile_discovery |
read,write | Financial operations — value transfer risk | |
linkedin-connect:connecting_on_a_profile |
read,write | Financial operations — value transfer risk | |
linkedin-connect:status_values |
read | ✅ LOW | |
linkedin-connect:multifounder_rows |
read | ✅ LOW | |
linkedin-connect:rate_limiting_antidetection |
read,write | ||
linkedin-connect:saving_progress |
read | ||
linkedin-dm:relationship_analysis_per_person |
read | ✅ LOW | |
linkedin-dm:message_structure |
read,write | Financial operations — value transfer risk | |
linkedin-dm:batch_preview_before_sending |
read | ✅ LOW | |
linkedin-dm:sending_flow_per_person |
read,write | Financial operations — value transfer risk | |
linkedin-dm:status_values |
read | ✅ LOW | |
linkedin-dm:antidetection_rules |
read | ✅ LOW | |
linkedin-dm:crm_tracking_google_sheet |
read | ✅ LOW |
Generated by AgentWard — open-source permission control plane for AI agents.