Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
LinkedIn Content Strategy Analyzer
v1.0.1Reverse-engineer any LinkedIn profile's content strategy — pillars, hooks, CTAs, and PDF report
⭐ 0· 280·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a LinkedIn profile/post analysis CLI that reasonably needs a web-scraping key (APIFY) and an LLM API key (OpenAI/Gemini/Anthropic). However, the registry metadata declares no required environment variables or credentials while the instructions explicitly require APIFY_API_KEY and one of several LLM keys — this metadata mismatch is incoherent and should be corrected.
Instruction Scope
The runtime instructions include an auto-update Python snippet that will run shell commands (git pull; pip install -e .) against ~/ai-native-toolkit if that repo exists. That silently executes network operations and package installation from a local repo and can modify files in the user's home directory. The SKILL.md also tells the agent to install 'ai-native-toolkit' via pip if missing. These behaviors go beyond mere analysis commands and increase the attack surface.
Install Mechanism
There is no formal install spec in the registry. The skill relies on pip installing 'ai-native-toolkit' or pulling/updating a repo in the user's home and running pip install -e on it. Installing or auto-updating packages via pip/git without a declared, verifiable source is higher risk because arbitrary code can be introduced.
Credentials
Requesting APIFY_API_KEY and an LLM API key is proportionate to scraping + AI analysis, but the registry declared no required env vars. The absence of declared credentials in metadata while instructions require multiple secrets is an inconsistency that could lead to unexpected prompts or accidental exposure of credentials.
Persistence & Privilege
The skill is not set to always:true and does not request system-wide privileges in metadata. The only persistent action in the instructions is writing a '.last_updated' timestamp inside ~/ai-native-toolkit when that repo exists — that is limited scope but still writes to the user's home directory.
Scan Findings in Context
[no-findings] unexpected: Static scanner found no code files to analyze (instruction-only). This reduces static evidence and makes the SKILL.md the primary surface for review; missing metadata (env vars) is visible only in the instructions.
What to consider before installing
Before installing or running this skill: (1) Ask the publisher for the source/repo URL and update the registry metadata to explicitly list required environment variables (APIFY_API_KEY and which LLM key). (2) Do NOT run the auto-update snippet or pip install until you have reviewed the ai-native-toolkit package source or the repo contents; if you must install, do so in an isolated environment (VM or container). (3) Use ephemeral or least-privilege API keys if possible and audit what data the tool sends to external services (APIFY, LLM providers). (4) Consider manual installation steps you control (explicit pip install from a verified project URL) and avoid silent auto-update behavior. If the owner cannot provide a trusted source or explain the auto-update mechanism, treat the package as high-risk and avoid installation.Like a lobster shell, security has layers — review code before you run it.
analyticsvk971be7y9479p6d2cqss2zx1e982emqzcontent-strategyvk971be7y9479p6d2cqss2zx1e982emqzlatestvk971be7y9479p6d2cqss2zx1e982emqzlinkedinvk971be7y9479p6d2cqss2zx1e982emqzpdfvk971be7y9479p6d2cqss2zx1e982emqz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.