LinkedIn CLI
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the environment variables are exposed or the command is run in an unintended context, someone could potentially reuse the LinkedIn session cookies to access the account.
The code uses LinkedIn browser session cookies as account credentials. This is disclosed and matches the skill purpose, but these cookies are sensitive and may grant broader account access than the read-only CLI actions shown.
li_at = os.environ.get("LINKEDIN_LI_AT")
jsessionid = os.environ.get("LINKEDIN_JSESSIONID")
...
jar.set("li_at", li_at, domain=".www.linkedin.com")
jar.set("JSESSIONID", jsessionid, domain=".www.linkedin.com")
...
return Linkedin("", "", cookies=jar)Only use this in a trusted local environment, avoid sharing logs or shells that contain the cookies, and revoke the session by logging out of LinkedIn if the cookies may have been exposed.
A compromised or unexpected version of the dependency could receive the LinkedIn session cookies used by this tool.
The dependency is installed manually without a pinned version. This is normal for a simple CLI, but the dependency is part of the credential-handling path and should be trusted.
Requires the `linkedin-api` Python package: ```bash pip install linkedin-api ```
Install the dependency from a trusted package source, consider pinning a known-good version, and use an isolated Python environment.