Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Linkedin Buying Detector
v1.0.0Detect LinkedIn hiring and growth signals to identify B2B companies ready to buy now and auto-generate personalized outreach messages.
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (detect LinkedIn buying signals and generate outreach) matches the described workflow (scrape LinkedIn, company profiles, find decision‑makers, generate messages). However, the SKILL.md explicitly requires an Apify API token (and implies use of Claude/Anthropic and CRM/Notion/Airtable/Slack integrations) while the skill metadata declares no required env vars or primary credentials — that mismatch is unexpected and incoherent.
Instruction Scope
Runtime instructions tell the agent to scrape LinkedIn jobs/profiles, extract headcount and emails, call Apify actors, and pass company/profile data to Claude AI to generate outreach. The instructions include external data flows (Apify actors, Claude AI) and imply pushing results to Notion/Airtable/CRMs/Slack, but they do not constrain or document required credentials, nor do they describe safeguards for collecting/transmitting personal contact data. The scope expands beyond a simple local helper and involves network scraping and outbound data transmission.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on‑disk installation risk; the runtime risk comes from network calls described in the instructions (Apify, Claude, and webhooks).
Credentials
The instructions require an Apify token and implicitly need an AI/model key (Claude/Anthropic) plus credentials for integrations (Notion, Airtable, HubSpot, Slack) to realize the listed outputs. The registry metadata lists no required environment variables or primary credential, so requested secrets are not declared — this is disproportionate and raises a risk that users will be asked for tokens at runtime without those needs being visible up front.
Persistence & Privilege
The skill does not request always:true, does not install persistent components, and does not modify other skills or system configs. Autonomous invocation is allowed (platform default) but not combined with elevated privileges here.
What to consider before installing
What to consider before installing:
- The SKILL.md expects an Apify API token (and implies an AI model key such as Anthropic/Claude plus CRM/Notion/Slack credentials) but the skill metadata declares none — treat that as a red flag. Only provide the Apify token or other credentials if you trust the skill source.
- This skill instructs scraping LinkedIn and harvesting contact emails/decision‑maker info and will send that data to external services (Apify actors, AI provider, and potentially your CRM). Confirm legal/ToS/privacy implications for your use case and target jurisdiction.
- Because the skill is instruction-only (no code files), there is no local code to audit; risk surfaces are network interactions. If you proceed, run it with least-privileged tokens (test accounts or read-only API keys), limit max_companies to a small number, and monitor outbound network activity.
- Ask the publisher (or request updated metadata) to: (1) declare required env vars (APIFY_TOKEN, ANTHROPIC/CLAUDE key, and any integration tokens) in the registry, (2) document exactly which third‑party actors are run and what data they receive, and (3) provide an option to disable pushing results to external CRMs/webhooks.
- If you cannot obtain that information, treat installation as higher risk and prefer sandboxed testing with throwaway credentials or decline.Like a lobster shell, security has layers — review code before you run it.
latestvk97e5txpq4tb8hcxpaq06hkvv983yyxy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.