ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Linkedin Signal

v1.0.0

Detect and score B2B buying signals from LinkedIn job posts and company data, then generate personalized outreach messages for hot leads.

0· 41·0 current·0 all-time
by@nicemaths123·duplicate of @nicemaths123/linkedin-buying-detector
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (LinkedIn buying signals + outreach) match the runtime instructions: the SKILL.md explicitly orchestrates Apify actors to scrape LinkedIn jobs, company pages, news, and profiles and uses an LLM to score and craft outreach. Collecting decision-maker info and emails is coherent with lead-gen purpose.
!
Instruction Scope
Instructions direct broad web scraping of LinkedIn job posts, company profiles, and personal profiles and to extract emails/contacts and push results to external systems (CSV/Notion/CRM). The doc does not document rate-limiting, legality/TOU compliance, how contact emails are obtained, or safeguards for sensitive personal data. It also references many Apify actor IDs and expects an apify_token in the example input, but the skill metadata does not declare that credential.
Install Mechanism
This is instruction-only (no install spec, no code files), so nothing is written to disk by an installer. That lowers technical install risk; the runtime risk is from remote scraping and outbound data flows, not local installs.
!
Credentials
Registry metadata lists no required env vars or primary credential, yet the SKILL.md input schema and setup steps explicitly require an Apify API token (apify_token). It also claims integrations (Notion/Airtable/HubSpot/CRM/Slack) but does not declare required credentials for those targets. This mismatch is an incoherence and increases risk of ad-hoc credential requests at runtime.
Persistence & Privilege
The skill is not always:true, is user-invocable, and does not request persistent system privileges or claim to modify other skills/configs. No elevated persistent presence is requested in the metadata.
What to consider before installing
This skill appears to do what it says (scrape LinkedIn via Apify and generate outreach) but the metadata omits required credentials and data-flow details. Before installing or running: (1) Confirm the developer/source and ask them to declare required env vars (Apify token and any CRM/Notion tokens) in the metadata rather than only in example inputs. (2) Never supply high-privilege or production CRM tokens to an unknown skill — use a disposable/test account or scoped API key. (3) Ask how emails/PII are obtained and whether scraping respects LinkedIn's terms and privacy laws (GDPR). (4) Verify the referenced Apify actor IDs on apify.com and ensure they are reputable. (5) If you plan to push leads to your systems, require the skill to show explicit destination endpoints and authentication flows before granting access. If the author cannot provide source code or a homepage and explain the credential needs, treat this as risky and avoid providing real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk978nkzye09hn3kqhatvrz0da584jksv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments