Linkedin Pipedream
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real LinkedIn/Pipedream automation skill, but it can mutate public LinkedIn content and its helper script uses local Pipedream credentials with hard-coded account and organization identifiers.
Install only if you intend to let the agent act on LinkedIn through Pipedream. Before using it, edit or remove the hard-coded defaults in org-post.mjs, verify the exact LinkedIn account and organization being used, and require explicit confirmation before any post, comment, like, or deletion.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could publish, engage with, or delete LinkedIn content in a way that affects the user's or organization’s public reputation.
The skill exposes public LinkedIn mutation tools, including posting, commenting, liking, and deleting. These are purpose-aligned, but the artifacts do not show clear approval or scoping rules for when an agent may perform them.
`linkedin-create-text-post-user` | Post as personal account | ... `linkedin-create-comment` | Comment on any post | ... `linkedin-create-like-on-share` | Like a post | ... `linkedin-delete-post` | Delete your post |
Require explicit user confirmation before every post, comment, like, organization post, or deletion, including the exact account, organization, target post, and final text.
A user or agent could accidentally try to post through the wrong Pipedream/LinkedIn identity or organization, or rely on persistent credentials without realizing which account is being used.
The helper reads local Pipedream credentials and defaults to specific user, organization, and LinkedIn auth provision identifiers. That makes account selection and delegated authority unclear for a high-impact organization posting action.
const configPath = join(homedir(), '.config', 'pdauth', 'config.json'); ... clientSecret: config.clientSecret ... DEFAULTS = { userId: 'telegram:5439689035', orgId: '105382747', authProvisionId: 'apn_4vhLGx4' }Remove hard-coded account identifiers, require the user to explicitly provide or select the LinkedIn auth provision and organization, and document exactly which local credential file is read and why.
Users cannot verify from these artifacts which exact SDK version would be installed or executed.
The helper relies on an external SDK, but the supplied artifacts do not include a package.json, lockfile, or install spec pinning the dependency version. This is expected for a Pipedream helper, but provenance is incomplete.
import { PipedreamClient } from '@pipedream/sdk';Provide a pinned package manifest or avoid the direct SDK helper unless the dependency source and version are reviewed.
LinkedIn profile, post, comment, organization, and action data may be processed through Pipedream as part of normal operation.
The skill clearly uses Pipedream as an OAuth/MCP intermediary for LinkedIn actions. This is purpose-aligned, but users should understand that LinkedIn actions and related data flow through Pipedream.
Full LinkedIn automation using Pipedream's OAuth infrastructure. ... **LinkedIn account connected via OAuth**
Review the Pipedream OAuth permissions and connected account before use, and disconnect the integration when no longer needed.