v1.1.0

Linkedin Monitor

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:55 AM.

Analysis

This skill is purpose-aligned for LinkedIn monitoring, but it asks for high-impact LinkedIn account/session access, persistent hourly monitoring, and optional autonomous replies as you.

GuidanceReview carefully before installing. If you use it, keep autonomy at Level 0 or 1, use a private alert channel, protect any LinkedIn cookies or credential files, and disable cron when you no longer want hourly monitoring.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

| 2 | Auto-Reply Simple | Auto-handles acknowledgments, scheduling |
| 3 | Full Autonomous | Replies as you, books meetings, networks |

The skill describes autonomous use of the user's LinkedIn account for replies, scheduling, and networking, which are high-impact actions with unclear approval, rollback, or containment controls outside Level 1.

User impactAt higher autonomy levels, the agent may send messages or take professional networking actions as you.

RecommendationKeep autonomy at Level 0 or 1 unless you have reviewed the exact sending workflow, safety limits, and approval behavior.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

README.md

🛡️ **Approval required** — Nothing sent without your OK
...
| 2 | Auto-reply simple — handles "thanks", scheduling automatically |
| 3 | Full autonomous — replies as you, books meetings |

The README makes a broad approval-required claim while also documenting autonomy modes that send or act automatically, creating a material ambiguity about whether messages can be sent without explicit approval.

User impactA user may believe all replies require approval even after enabling modes that are described as automatic.

RecommendationTreat the approval claim as applying only to Level 1 unless the maintainer documents otherwise; verify configuration before enabling higher autonomy.

Rogue Agents

SeverityLowConfidenceHighStatusNote

README.md

Enable Hourly Monitoring

```bash
linkedin-monitor enable
```

Done! The monitor will now check your inbox every hour.

The skill intentionally creates persistent hourly monitoring via cron. This is disclosed and purpose-aligned, but it means the skill continues operating in the background after setup.

User impactThe skill can keep checking LinkedIn on a schedule until disabled.

RecommendationOnly run `linkedin-monitor enable` if you want ongoing background monitoring, and use `linkedin-monitor disable` before uninstalling or pausing it.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

package.json

"requires": {
  "tools": ["browser", "cron", "message"],
  "bins": ["jq"]
}

The package declares browser, cron, message, and jq requirements, while the registry section reports no required binaries, env vars, config paths, or capability tags. This looks like under-declared metadata rather than hidden behavior.

User impactThe installer metadata may not fully prepare users for the capabilities and dependencies the skill expects.

RecommendationBefore installing, confirm you are comfortable granting browser, cron, messaging, jq, and LinkedIn CLI/API dependencies.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/lk.py

li_at = os.environ.get('LINKEDIN_LI_AT')
jsessionid = os.environ.get('LINKEDIN_JSESSIONID')
...
config_path = os.path.expanduser('~/.clawdbot/linkedin-monitor/credentials.json')

The code uses LinkedIn session cookies from environment variables or a local credentials file, giving account-level access to the user's LinkedIn session; registry metadata declares no primary credential or env vars.

User impactInstalling and configuring this can give the skill access to your LinkedIn account session and private messages.

RecommendationUse only a dedicated/limited LinkedIn session if possible, protect the credentials file, and verify exactly where cookies are stored before enabling monitoring.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

CRON-PAYLOAD.md

Post to the configured channel (Discord, Telegram, Slack, WhatsApp, etc.):
  Format:
  📬 **{Name}**
  > {message preview}
  
  **Draft reply:**

The workflow sends LinkedIn message previews and drafted replies to third-party chat channels. This is disclosed and central to alerts, but it moves private inbox content outside LinkedIn.

User impactPrivate LinkedIn message content may appear in Discord, Slack, Telegram, WhatsApp, or another configured alert channel.

RecommendationChoose a private alert channel with trusted members only, and avoid configuring shared or public channels.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/state.sh

'inboundMessage': $message,
'draftReply': $draft,
'conversationId': $conv_id,
'createdAt': $created,
'status': "pending"

The skill stores inbound message text, draft replies, and conversation identifiers in local persistent state for approval and deduplication. This is purpose-aligned but contains private communication data.

User impactLinkedIn message details and draft replies may remain on disk under the skill's state directory.

RecommendationReview and periodically clean `~/.clawdbot/linkedin-monitor/state/` if you do not want drafts or message metadata retained.