Linkedin API
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for LinkedIn data lookup, but it relies on a LinkdAPI API key and runtime installation/execution of an unpinned Python package, so users should verify the service and handle credentials carefully.
Before installing, verify that you trust LinkdAPI and the Python package, configure the API key as an environment variable rather than hardcoding it, and review any generated uv script if using the skill in a sensitive workspace.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or unexpected package version could affect the code run in the user's workspace.
The skill directs the agent to install and run an unpinned external Python package at task time. This is disclosed and central to the skill, but users should verify the package and service source.
# dependencies = ["linkdapi"] ... uv run script.py ... This installs dependencies automatically
Use a trusted package source, consider pinning a known-good version, and review generated scripts before running them in sensitive environments.
The agent may use the configured LinkdAPI key to make queries against the user's API account.
The skill uses a third-party API key to authenticate LinkdAPI requests. This is expected for the integration, but the registry metadata does not declare a required credential.
export LINKDAPI_API_KEY="your_api_key_here" ... client = LinkdAPI(os.getenv("LINKDAPI_API_KEY"))Store the key in an environment variable, avoid hardcoding it into scripts, and use the least-privileged or revocable key available.
Generated scripts may access the network and local environment variables, including the LinkdAPI key.
The documented workflow involves creating and executing temporary local Python scripts. This is the intended operating model, but it is still executable code in the user's environment.
Write a temporary script in workspace with the uv script header ... Run with `uv run` ... Delete the script after use (optional)
Run only scripts that match the requested LinkedIn lookup, avoid including unrelated dependencies, and delete temporary scripts after use.
The agent could retrieve personal contact details from the LinkdAPI service when asked.
The skill documents methods that can retrieve personal contact information. This fits the LinkedIn data access purpose, but it should be used only for legitimate, user-requested tasks.
`get_contact_info(username)` — Email, phone, websites
Use the contact-information methods only when clearly needed and consistent with applicable privacy rules and the user's intent.