Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Linkedin Thread Engagement
v1.0.0Tracks your LinkedIn comments for author replies within 72h, flags high-value engagement windows, and drafts timely follow-ups to maximize thread momentum.
⭐ 0· 32·0 current·0 all-time
bySergey Bulaev@sergebulaev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to monitor LinkedIn threads and post or route DMs, which legitimately requires API access or posting credentials. However the metadata declares no required environment variables, no credentials, and no install/dependencies. The SKILL.md also references HarvestAPI, Publora, and lib.active_backend(), which are external services/libraries not declared or bundled. That mismatch suggests missing or omitted requirements.
Instruction Scope
Runtime instructions tell the agent to fetch profile comments via HarvestAPI, fetch comment trees, classify stages, draft replies and route DMs, and call `linkedin-reply-handler`/`lib.active_backend()`. These steps imply network calls, authentication, and invoking other skills/libraries, but the doc gives no authentication flow or safe limits. The instructions are specific about data to collect (comment trees, reply URNs, timestamps) yet do not describe required permissions or endpoints, leaving the agent with open-ended authority to call unknown services.
Install Mechanism
There is no install spec and no code files — this minimizes on-disk risk. However being instruction-only increases reliance on external services and other skills; the absence of an install step is coherent with an instruction-only approach but does not compensate for missing declared credentials/dependencies.
Credentials
The behavior described (reading the user's LinkedIn comments, posting replies, sending DMs, calling HarvestAPI/Publora) normally requires LinkedIn/Harvest/API keys or OAuth tokens and probably API endpoints, yet requires.env is empty and no primary credential is declared. That is disproportionate: the skill requests actions that need sensitive credentials but doesn't declare them or explain how they'll be provided or stored.
Persistence & Privilege
always:false and no special install-time persistence or config modifications are requested. The skill can be invoked by the agent (normal), but it does not request elevated continuous presence or cross-skill configuration changes in the provided metadata.
What to consider before installing
This skill's instructions clearly expect API access and helper libraries (HarvestAPI, Publora, linkedin-reply-handler) but the package declares no credentials, endpoints, or dependencies — that's a red flag. Ask the publisher for: (1) the exact APIs/endpoints used and an explanation of HarvestAPI/Publora and how auth is performed (OAuth flow or API key), (2) a list of required environment variables or connectors (LinkedIn token, HarvestAPI key, posting credential) and how secrets are stored, (3) the source or homepage and provenance for referenced helper skills (linkedin-reply-handler), and (4) whether posting/DMing will be automatic or require manual approval. Until the author supplies that information, avoid granting this skill live LinkedIn credentials or enabling autonomous posting — if you test it, do so in a restricted/sandbox account and insist on explicit, minimal-scoped auth (OAuth with revocable tokens) and audit logging.Like a lobster shell, security has layers — review code before you run it.
latestvk975nqj41m0h852pgz41n3m1r584vhg1linkedinvk975nqj41m0h852pgz41n3m1r584vhg1marketingvk975nqj41m0h852pgz41n3m1r584vhg1social-mediavk975nqj41m0h852pgz41n3m1r584vhg1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.