Skillv1.0.0

ClawScan security

Linkedin Email Phone Apify · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 9:19 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it says — it runs two Apify actors to enrich LinkedIn URLs and merges results; the only notable issue is a metadata mismatch about required environment variables.
Guidance: This skill is internally consistent with its purpose: it needs an Apify API token to run two actors and merge results. Before installing, verify the following: 1) The APIFY_TOKEN is legitimate and scoped appropriately (avoid using a highly privileged token in shared environments); 2) Confirm the two hardcoded actor IDs on your Apify account/console to ensure you trust those actors and their provider; 3) The registry metadata mismatch (claims no env vars vs SKILL.md requiring APIFY_TOKEN) should be corrected — assume the skill needs APIFY_TOKEN; 4) Test with a very small set of LinkedIn URLs first and avoid supplying secrets or unrelated files; 5) Consider legal/ToS implications of scraping LinkedIn data and ensure your use complies with applicable rules; 6) If you deploy in automation, monitor runs and be prepared to rotate/revoke the APIFY_TOKEN if anything unexpected occurs.

Review Dimensions

Purpose & Capability: noteThe name/description (LinkedIn enrichment via Apify) match the implementation: the script calls Apify actor endpoints using two hardcoded actor IDs and merges results. However, registry metadata provided at the top of the submission claims no required env vars/credentials while SKILL.md and the script clearly require an APIFY_TOKEN — this mismatch should be resolved.
Instruction Scope: okSKILL.md and the included Python script limit actions to: accepting LinkedIn URLs, normalizing them, calling Apify run-sync endpoints for two actor IDs, merging responses, and returning JSON. The instructions do not ask the agent to read unrelated system files, call obscure endpoints, or exfiltrate secrets beyond using the declared APIFY_TOKEN.
Install Mechanism: okNo install spec — instruction-only skill with a bundled Python script. There are no downloads or archive extraction steps. Risk from installation is low; the script runs in the user's environment and relies on standard library modules only.
Credentials: noteThe script requires a single credential (APIFY_TOKEN), which is appropriate for running Apify actors. The inconsistency: registry metadata earlier listed 'Required env vars: none' and 'Primary credential: none' while SKILL.md and the script declare APIFY_TOKEN as required/primary. Confirm the registry metadata or SKILL.md to avoid surprises.
Persistence & Privilege: okThe skill does not request permanent 'always' inclusion and does not modify other skills or system-wide agent settings. It runs only when invoked and accepts the token via env var or CLI argument.