LinkedIn Automator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is transparent about automating LinkedIn, but it can publicly like, comment, post, and schedule future posts from your logged-in account without clear per-action approval.
Install only if you are comfortable letting an agent act through your logged-in LinkedIn account. Review every post, comment, and scheduled cron job before it goes live, and treat the metadata mismatch as a provenance issue to clarify with the publisher.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could like or comment publicly from the user's professional LinkedIn account in ways the user did not specifically approve.
The workflow instructs browser-driven public engagement on posts chosen by the agent, without requiring user review of each like/comment.
For each qualifying post (up to $LIMIT): ... **Like the post** (always do this) ... **Leave a thoughtful comment** (on best posts)
Require explicit approval for each post target and drafted comment, or at minimum a reviewed batch preview before any public action.
Actions taken by the agent appear as the logged-in user and can affect the user's reputation and account standing.
The skill relies on the user's authenticated LinkedIn browser session, which is expected for this purpose but grants broad account authority.
LinkedIn logged in via browser (use profile with active LinkedIn session)
Use a dedicated browser profile if possible, log out when not using the skill, and require confirmation before account-changing actions.
A scheduled job could continue posting later, including at times when the content is no longer appropriate.
The scheduler can create future or recurring system events that post to LinkedIn after the initial setup.
"text": "Post to LinkedIn now: $CONTENT" ... Daily at 9am: "0 9 * * *"
Prefer one-time schedules, set expiration/cancellation reminders, and review active cron jobs regularly.
It may be harder to verify that the reviewed files correspond to the published registry entry.
This included metadata does not match the registry metadata shown for owner, slug, or version, creating provenance/version ambiguity.
"ownerId": "kn78ftsr6trhzdv8byq4yv2x4s808pf4", "slug": "linkedin-automation", "version": "1.0.0"
Ask the publisher to align the packaged metadata with the registry record before trusting the skill for account automation.