ClawHub
Back to skill
v1.0.0

LinkedIn Poster

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:38 AM.

Analysis

This is a straightforward LinkedIn posting skill; it can publish public posts using a configured LinkedIn token, but that behavior is disclosed and the instructions require owner approval.

GuidanceBefore installing, make sure you are comfortable giving the configured LinkedIn channel permission to publish posts. Review and explicitly approve the final text and any media before posting, and keep the LinkedIn OAuth token protected.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
message send --channel linkedin --text "Your post content here"

The skill documents use of the message tool to publish to LinkedIn, which is a high-impact public posting action even though it is central to the skill's purpose.

User impactIf used incorrectly, the agent could publish unwanted text or media to the authenticated user's public LinkedIn feed.
RecommendationOnly approve posts after reviewing the final text, attached media, target account, and whether the post should be public.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Supported image sources:
- Local file paths: `/Users/david/image.png`
- `file://` URLs: `file:///Users/david/image.png`
- Remote URLs: `https://example.com/image.png`

The skill can attach local or remote images to posts. This is purpose-aligned, but local media could unintentionally reveal private or sensitive content if not reviewed.

User impactA selected local image could be uploaded and made visible in a public LinkedIn post.
RecommendationReview every attached image and file path before approving the post.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`accessToken`: OAuth 2.0 token with `w_member_social` scope

The skill requires a LinkedIn OAuth token with permission to post on behalf of the user; this is expected for a posting skill but is sensitive delegated authority.

User impactAnyone or any agent flow that can use this configured channel may be able to publish to the linked LinkedIn account.
RecommendationUse the least-privileged LinkedIn token available, keep the token protected, and revoke or rotate it if access is no longer needed.