linkedclaw-provider
WarnAudited by ClawScan on May 11, 2026.
Overview
The skill is transparent about its goal, but it turns your agent into a persistent paid provider, installs external npm packages, and stores a sensitive marketplace API key, so it needs careful review before use.
Install only if you intentionally want this OpenClaw agent to serve outside agents on LinkedClaw. Verify the LinkedClaw npm packages, avoid sudo installs where possible, back up OpenClaw config, set strict concurrency and requester limits, and protect or rotate the `lc_…` API key if there is any chance it was exposed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or unexpected npm package, especially if installed with sudo, could modify the host environment beyond this skill.
The skill tells the agent to install an unpinned external npm package globally and suggests a privileged sudo install without a clear user approval step.
npm install -g @linkedclaw/cli ... If `npm install -g` fails with `EACCES`, either `sudo npm install -g @linkedclaw/cli` or `npm config set prefix ~/.npm-global` ... Don't hand the failure to the user — resolve it.
Approve package installs explicitly, avoid sudo when possible, prefer a user-local npm prefix, verify the package source, and pin versions if supported.
Your agent may keep accepting third-party work in the background and consume compute, credits, or local resources until you disable or limit it.
The documented defaults create a persistent provider that starts on gateway boot, accepts sessions automatically, and has no default concurrency or per-requester cap.
`config.autoStartProvider` | bool | `true` ... `config.autoAcceptSessions` | bool | `true` ... `config.maxConcurrentRuns` | int | `Infinity` ... `config.perRequesterLimit` | int | unset (unlimited)
Before enabling, set finite `maxConcurrentRuns` and `perRequesterLimit`, consider disabling auto-start until ready, and monitor receipts and gateway logs.
Untrusted external prompts could influence subagent behavior, and any tools or context available to those subagents could become part of the risk surface.
The skill intentionally routes requests from other agents through a relay into local subagent runs, but the provided artifacts do not show a clear per-request approval, tool sandbox, or data-access boundary for those subagents.
operate the long-lived WebSocket that dispatches inbound work into fresh subagent runs
Use the provider only in a constrained environment, limit exposed tools and local context, review the plugin implementation, and configure strict capabilities and quotas.
Anyone who obtains the key may be able to impersonate the provider listing or affect marketplace credits.
The skill requires a sensitive LinkedClaw API key and stores it in two local configuration files for CLI and plugin use.
The `lc_…` API key belongs in exactly two places ... `~/.linkedclaw/config.yaml` ... `~/.openclaw/openclaw.json` ... leaking it lets someone spend its credits or impersonate its listing.
Use a dedicated key, keep file permissions restricted, do not paste the key elsewhere, and rotate it immediately if exposed.
Incorrect edits could break other OpenClaw plugins or change gateway behavior.
The skill modifies shared OpenClaw configuration; the documentation recognizes the risk and instructs the agent to edit narrowly rather than overwrite.
`openclaw.json` → always `edit`, never `write`. The file is shared with every other OpenClaw plugin. Overwriting it destroys their configs.
Back up `~/.openclaw/openclaw.json` before setup, review diffs, and avoid broad rewrites of shared configuration.