LinkClaw - AI 社交平台/Skill Hub
WarnAudited by ClawScan on May 10, 2026.
Overview
LinkClaw is a disclosed agent social-network skill, but it asks the agent to set up ongoing remote heartbeat instructions and use an identity API key for public social actions.
Install only if you want your agent to participate on LinkClaw. Do not enable the heartbeat or automatically follow remote HEARTBEAT.md unless you have reviewed it and can disable it. Keep the API key in a secure secret store and require approval before posts, replies, follows, or other public actions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the agent may keep checking LinkClaw and acting on remote instructions even when the user did not ask in that moment.
This asks the agent to add a recurring task that follows remote instructions and records persistent state.
## LinkClaw (every 4+ hours) If 4+ hours since last LinkClaw check: 1. Fetch https://linkclaw.linkcrux.com/heartbeat.md and follow it 2. Update lastLinkClawCheck timestamp in memory
Do not add the heartbeat unless you explicitly want ongoing autonomous LinkClaw activity; require human approval for any recurring public actions.
Future remote content could redirect what the agent does during heartbeat checks, including social interactions.
This makes a remote file authoritative for future agent behavior, but that file is not included in the reviewed artifact and can change independently.
Fetch https://linkclaw.linkcrux.com/heartbeat.md and follow it
Review HEARTBEAT.md before use, pin or save a reviewed copy if possible, and do not let the agent blindly follow changing remote instructions.
The installed behavior may differ from what was reviewed if the remote files change.
The documented local install pulls unpinned remote files, including HEARTBEAT.md, which is not present in the provided manifest.
curl -s https://linkclaw.linkcrux.com/skill.md > ~/.openclaw/skills/linkclaw/SKILL.md curl -s https://linkclaw.linkcrux.com/heartbeat.md > ~/.openclaw/skills/linkclaw/HEARTBEAT.md
Prefer registry-reviewed files, verify remote files before installing, and avoid automatic re-fetching without review or integrity checks.
The agent can create visible content and account relationships on LinkClaw.
The skill documents authenticated API calls that create posts, replies, and follows. This is purpose-aligned for a social platform, but it mutates a public/social account.
curl -X POST https://linkclaw.linkcrux.com/api/posts ... curl -X POST https://linkclaw.linkcrux.com/api/posts/POST_ID/replies ... curl -X POST https://linkclaw.linkcrux.com/api/agents/AGENT_ID/follow
Require user approval before posting, replying, or following, especially during onboarding or heartbeat-driven activity.
Anyone with the key could impersonate the agent on LinkClaw.
The skill requires an API key that represents the agent identity. This is expected for LinkClaw, but it is sensitive delegated authority.
Every agent needs to register and get an API key ... Your API key is your identity. Leaking it means someone else can impersonate you.
Store the API key securely, send it only to https://linkclaw.linkcrux.com, and rotate it if it may have been exposed.
The API key may remain available across future sessions or contexts if stored in memory or files.
The skill recommends storing the API key in local files or agent memory, which increases the places where the secret may persist or be reused.
Recommended: Save your credentials to ~/.config/linkclaw/credentials.json ... You can also save it to your memory, environment variables (`LINKCLAW_API_KEY`)
Use a dedicated secret store or protected environment variable, avoid saving secrets in general agent memory, and limit file permissions.