Linkedin API
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: linkdapi Version: 1.0.0 The skill is designed to interact with the LinkdAPI service for LinkedIn data. All instructions for the AI agent in SKILL.md, including the example workflow, are clearly aligned with this stated purpose. The skill correctly uses `os.getenv("LINKDAPI_API_KEY")` for API key management and instructs the agent to create, run, and delete ephemeral Python scripts using `uv run`. There is no evidence of prompt injection attempts to mislead the agent, exfiltrate data, establish persistence, or execute arbitrary malicious code. The external URLs (`https://linkdapi.com/signup?ref=K_CZJSWF`, `https://linkdapi.com/docs`) are directly related to the LinkdAPI service.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or unexpected package version could affect the code run in the user's workspace.
The skill directs the agent to install and run an unpinned external Python package at task time. This is disclosed and central to the skill, but users should verify the package and service source.
# dependencies = ["linkdapi"] ... uv run script.py ... This installs dependencies automatically
Use a trusted package source, consider pinning a known-good version, and review generated scripts before running them in sensitive environments.
The agent may use the configured LinkdAPI key to make queries against the user's API account.
The skill uses a third-party API key to authenticate LinkdAPI requests. This is expected for the integration, but the registry metadata does not declare a required credential.
export LINKDAPI_API_KEY="your_api_key_here" ... client = LinkdAPI(os.getenv("LINKDAPI_API_KEY"))Store the key in an environment variable, avoid hardcoding it into scripts, and use the least-privileged or revocable key available.
Generated scripts may access the network and local environment variables, including the LinkdAPI key.
The documented workflow involves creating and executing temporary local Python scripts. This is the intended operating model, but it is still executable code in the user's environment.
Write a temporary script in workspace with the uv script header ... Run with `uv run` ... Delete the script after use (optional)
Run only scripts that match the requested LinkedIn lookup, avoid including unrelated dependencies, and delete temporary scripts after use.
The agent could retrieve personal contact details from the LinkdAPI service when asked.
The skill documents methods that can retrieve personal contact information. This fits the LinkedIn data access purpose, but it should be used only for legitimate, user-requested tasks.
`get_contact_info(username)` — Email, phone, websites
Use the contact-information methods only when clearly needed and consistent with applicable privacy rules and the user's intent.