Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Linkedin Pipedream
v1.0.0Post to LinkedIn, comment, like, search organizations, and manage profiles via Pipedream OAuth integration.
⭐ 0· 1.7k·3 current·4 all-time
by@g9pedro
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (LinkedIn via Pipedream) match the declared binary dependency (pdauth), the SKILL.md instructions (pdauth connect/status/call), and the included workaround script which calls Pipedream actions. Dependency on pdauth is expected for this functionality.
Instruction Scope
Most runtime instructions stick to the stated purpose (connect via OAuth, call Pipedream tools to post/comment/like/search). However the included org-post.mjs script reads the user's ~/.config/pdauth/config.json (clientId/clientSecret/projectId) and uses the Pipedream SDK to run an action directly as a workaround. That file access is within the domain of using pdauth but is not explicitly called out as a sensitive operation in the main metadata, so users should be aware the skill will read local auth configuration.
Install Mechanism
There is no external download or remote URL; the skill depends on the pdauth skill/CLI which is coherent. The org-post.mjs file imports '@pipedream/sdk' and requires Node to run, but the skill metadata does not declare Node/npm or that package as an install step — that is a minor coherence gap (the script will fail unless the runtime provides @pipedream/sdk or the user installs it).
Credentials
The skill declares no required environment variables, but the included script reads ~/.config/pdauth/config.json which contains clientId, clientSecret, and projectId (sensitive credentials). Reading those local secrets is explainable by the workaround, but the metadata does not declare access to those secrets. Users should expect the skill to access their pdauth config (client credentials and project info).
Persistence & Privilege
always is false and the skill does not request elevated or permanent placement. It does not modify other skills or global agent settings. Autonomous invocation is allowed (default) but not combined with other high-risk factors.
Assessment
This skill appears to do what it says (use Pipedream/pdauth to interact with LinkedIn), but review a few things before installing:
- The included Node script (org-post.mjs) reads ~/.config/pdauth/config.json and will access clientId/clientSecret/projectId stored by pdauth — these are sensitive credentials. Only install if you trust the skill owner and understand that the script uses your local pdauth credentials.
- The script imports '@pipedream/sdk' and expects Node to be available; the skill metadata doesn't declare Node/npm or that package as an install step. If you plan to use the workaround, ensure you have Node and the @pipedream/sdk dependency installed or run the commands through the pdauth CLI instead.
- Check the hard-coded defaults (default orgId, userId, authProvisionId) in org-post.mjs — they may not match your accounts; inspect and edit the script if needed.
- Prefer using the pdauth CLI flows (connect/status/call) when possible because they avoid the skill reading your local client secret; use the script only if you understand and accept the local credential access.
If you want higher assurance, ask the publisher for: (a) a signed source or canonical repository, (b) an explicit install step for Node/@pipedream/sdk, and (c) confirmation that the script will not transmit credentials to any endpoint other than Pipedream's official API.Like a lobster shell, security has layers — review code before you run it.
latestvk970gmgagqx1vc32shewx578w180h9bh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💼 Clawdis
Binspdauth