Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Linkedin Content Optimizer Engagement Booster
v1.0.0Analyze LinkedIn engagement patterns, optimize posting times, rewrite content for maximum reach, and automate personalized outreach sequences. Use when the u...
⭐ 0· 104·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims deep LinkedIn analytics (connection clusters, post likes/comments, profile views) and also lists integrations with Google Sheets, Slack, and HubSpot. Only LINKEDIN_API_KEY and OPENAI_API_KEY are required in metadata. Either the extra integrations are optional/unstated, or the skill will attempt to use other credentials/configs that are not declared — this is an incoherence.
Instruction Scope
SKILL.md instructs the agent to retrieve other users' liked posts, commented threads, and profile activity ('profile stalking intelligence') and to generate personalized outreach. Those data-collection actions are sensitive and require specific LinkedIn API scopes and explicit handling; the instructions do not describe consent, storage, or where extracted data will be sent. The skill also references Google Sheets/Slack/HubSpot for reporting/notifications but gives no guidance about how credentials for those services are provided.
Install Mechanism
Instruction-only skill with no install spec and only requires curl and jq on PATH. This is low-risk from installation perspective — nothing is written to disk by an installer.
Credentials
Only two environment variables are declared (LINKEDIN_API_KEY and OPENAI_API_KEY), which is reasonable for core functions. However, the described integrations (Google Sheets, Slack, HubSpot) normally require their own credentials or OAuth flows; the lack of declared env vars or config paths for them is disproportionate to the claimed capabilities and leaves unclear how credentials would be provided or validated. Also, the skill requests access to potentially sensitive LinkedIn data but doesn't enumerate required LinkedIn scopes.
Persistence & Privilege
always is false and there is no install script or config persistence described. The skill does not request elevated platform privileges. Autonomous invocation is allowed by default (normal), but combined with broad data access this increases blast radius — note this risk even though it is not alone a reason to block.
What to consider before installing
This skill is plausible but inconsistent in important ways. Before installing or providing keys: 1) Ask the author to list exactly which LinkedIn API scopes it needs and show the OAuth flow (do not hand over your main account credentials). 2) Confirm how Google Sheets/Slack/HubSpot integrations are enabled and where their credentials are supplied — the SKILL.md should declare required env vars or say those integrations are optional. 3) Verify what user data is collected, how long it is stored, and whether any data is sent to third‑party endpoints; get a data-handling policy. 4) Be cautious about automating outreach at scale (can violate LinkedIn terms and risk account action). 5) If you decide to test, use a limited/test LinkedIn account and scoped API key, and rotate or revoke keys after evaluation. If the author cannot clarify the missing credential/config requirements and data flows, treat the skill as risky and avoid sharing production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97b8gzdqkt0apzxpfaz57je3n833qar
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔗 Clawdis
OSmacOS · Linux · Windows
Binscurl, jq
EnvLINKEDIN_API_KEY, OPENAI_API_KEY