ClawHub

Unipile Linkedin Sdk

v1.5.0

LinkedIn integration via Unipile's official Node.js SDK. Send messages, InMail, view profiles, manage connections, create posts, and interact with content. U...

2· 107·0 current·0 all-time
byMohit Yadav@mohit21gojs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Unipile LinkedIn SDK) match the code and instructions: the CLI uses unipile-node-sdk and requires UNIPILE_DSN and UNIPILE_ACCESS_TOKEN to interact with LinkedIn via Unipile. These credentials are appropriate for the declared functionality. Minor metadata inconsistency: registry/summary at the top lists 'Required env vars: none' while SKILL.md and the script clearly declare required env vars.
Instruction Scope
SKILL.md and scripts/linkedin.mjs limit actions to Unipile API calls (profiles, posts, messaging, invites). Instructions tell users to npm install the official SDK and set the DSN/TOKEN; the runtime script only reads the documented env vars and command-line args. There are no instructions to read unrelated files, system secrets, or to send data to unexpected endpoints (the DSN is provided by the user).
Install Mechanism
No install spec in the skill bundle (instruction-only) and the docs simply recommend 'npm install unipile-node-sdk', which is a normal, low-risk public-registry dependency. The repository includes package.json and package-lock.json with standard npm packages; there are no archive downloads or remote extract steps.
Credentials
The environment variables requested (UNIPILE_DSN, UNIPILE_ACCESS_TOKEN, optional UNIPILE_PERMISSIONS) are proportional and necessary for the described Unipile integration. The SKILL.md marks UNIPILE_ACCESS_TOKEN as primaryEnv; this is expected. Note: the earlier top-level metadata omitted these required env vars, which is an inconsistency to be aware of but does not itself indicate extra privilege.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not require persistent system-level privileges. It is user-invocable and allows autonomous invocation (platform default) but that is not unusual and is not combined with other red flags here.
Assessment
This skill appears to do exactly what it claims. Before installing: (1) Verify you trust the Unipile service and the source of the skill (homepage/source URLs point to clawhub.ai, but the package author is unidentified in the bundle). (2) Prefer UNIPILE_PERMISSIONS=read for least privilege unless you explicitly need write operations. (3) Ensure UNIPILE_DSN points to the official Unipile endpoint from dashboard.unipile.com (do not set it to a third-party server you don't trust). (4) Audit the npm package 'unipile-node-sdk' (version constraints) on the npm registry if you want extra assurance, and avoid reusing the same token across unrelated services.

Like a lobster shell, security has layers — review code before you run it.

latestvk974pxghv4maj5jj8zejrf8ds983bdak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments