Linkedin Monitor
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent LinkedIn inbox monitor, but it uses persistent LinkedIn session access and offers autonomous replies/bookings with under-declared credentials and limited visible safeguards.
Install only if you are comfortable with a 24/7 LinkedIn monitor using your logged-in session or session cookies. Keep autonomy at Level 0 or 1, use a private alert channel, protect ~/.clawdbot/linkedin-monitor as sensitive data, verify external dependencies, and disable cron when you no longer want monitoring.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the saved cookie file may be able to access the user's LinkedIn account/session.
The included CLI asks for LinkedIn session cookies and saves them locally for account access. Registry metadata declares no primary credential or env vars, so this high-impact credential handling is under-declared.
Copy the values for 'li_at' and 'JSESSIONID' ... Enter li_at cookie value ... Enter JSESSIONID cookie value ... Credentials saved to: {config_path}Declare the credential requirement explicitly, store cookies with restrictive permissions or a keychain, document revocation, and avoid installing unless you are comfortable granting this account access.
At higher autonomy levels, the agent could send professional messages or book meetings without the user reviewing each action.
The skill explicitly supports automatic LinkedIn replies and scheduling/networking under the user's identity, but the artifacts do not show strong enforced approval, reversibility, or containment for these account-mutating actions.
Level 2 | Auto-Reply Simple | Auto-handles acknowledgments, scheduling ... Level 3 | Full Autonomous | Replies as you, books meetings, networks
Keep the skill at Level 0 or Level 1 unless you have reviewed the implementation, and require explicit per-message approval for sending, scheduling, and networking actions.
A malicious LinkedIn message could try to manipulate the agent's reply drafting or, at higher autonomy, influence actions taken through the account.
LinkedIn message text is untrusted external content that is fed into the agent's drafting workflow. The artifacts do not show instructions to treat message content as data only or to ignore instructions embedded in messages.
Extract each conversation ... last message preview ... Draft reply for each using USER.md communication style
Add explicit prompt-injection handling: treat incoming messages as untrusted data, never follow instructions inside them, and require approval before any send/action.
The monitor may continue checking LinkedIn and using the browser session until disabled.
The skill is designed to run persistently via cron with a logged-in browser. This is disclosed and purpose-aligned, but it keeps account-monitoring automation active in the background.
Enable Hourly Monitoring ... This creates a cron job that runs every hour to check your inbox. ... Keep this browser open — it needs to stay running.
Enable cron only if you want 24/7 monitoring, periodically review the cron entry and logs, and use the documented disable command when not needed.
Private LinkedIn conversations could be visible to other people or services in the configured alert channel.
The skill forwards private LinkedIn message previews and generated draft replies to external alert channels. This is part of the stated alerting function, but the destination may be a shared or third-party channel.
Post to the configured channel (Discord, Telegram, Slack, WhatsApp, etc.): ... {message preview} ... Draft replyUse a private alert destination, verify channel IDs carefully, and avoid forwarding sensitive inbox content to shared workspaces.
LinkedIn message content and drafts may remain on disk after the conversation is handled.
The state helper can persist inbound message text and draft replies under the skill's state directory. This supports the approval workflow but retains private message content locally.
"inboundMessage": $message, "draftReply": $draft, "conversationId": $conv_id, "status": "pending"
Treat the state directory as sensitive, clean it up when uninstalling, and consider limiting retained draft/message content.
Users may install or run external packages without the registry making those dependencies obvious.
The skill depends on external tools installed outside the provided artifact set. These installs are user-directed and purpose-aligned, but they are not captured by the registry requirements or an install spec.
`lk` CLI (LinkedIn CLI) — `npm install -g lk`; `jq` (JSON processor) — `brew install jq`
Verify external packages before installing, prefer pinned/documented versions, and update metadata to declare required binaries and tools.