Linkedin Thread Engagement
AdvisoryAudited by VirusTotal on Apr 14, 2026.
Overview
Type: OpenClaw Skill Name: linkedin-thread-engagement Version: 1.0.0 The skill bundle is a LinkedIn engagement automation tool designed to monitor comment threads and draft follow-up responses based on specific timing windows (e.g., the 'Kevin Payne window'). The logic in SKILL.md and references/thread-timing.md focuses on analyzing LinkedIn comment trees via HarvestAPI and prioritizing responses based on author engagement. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found; the instructions are consistent with the stated purpose of social media management.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish LinkedIn replies through a configured backend when the user expected only draft text.
A workflow framed as drafting can invoke a backend that posts publicly, but the instructions do not define an explicit user confirmation gate before high-impact posting.
Draft responses for warm threads using `linkedin-reply-handler` (which adapts to the active backend per `lib.active_backend()` — Publora auto-posts, manual mode returns copy-paste, DIY invokes custom poster).
Use this only with a manual/copy-paste backend unless the user explicitly approves each post; require a confirmation step before any public reply or DM is sent.
The user may not know which LinkedIn or publishing account permissions the workflow will use, or how broad those permissions are.
Auto-posting or custom posting implies use of delegated LinkedIn/social publishing authority, but the supplied requirements declare no primary credential, env vars, or scoped account configuration.
Publora auto-posts, manual mode returns copy-paste, DIY invokes custom poster
Clearly document required accounts, tokens, scopes, and which backend is active before enabling the skill; avoid granting posting permissions unless necessary.
Actual posting behavior may depend on another installed skill or backend with separate risks.
Core behavior depends on another skill and active backend logic that are not part of this reviewed package, so their safety controls cannot be verified from these artifacts.
`linkedin-reply-handler` — drafts the actual follow-up message
Review the linked reply-handler skill and backend configuration before relying on this workflow, especially if any backend can post automatically.
LinkedIn activity and profile/thread information may be retrieved through or shared with an external provider.
The skill discloses a third-party/API data flow involving the user's LinkedIn profile URL, recent comments, and thread context; this is purpose-aligned but should be visible to the user.
Fetch user's recent comments via HarvestAPI `/linkedin/profile-comments`.
Use only if the user is comfortable with HarvestAPI handling this LinkedIn activity, and avoid providing private or sensitive profile data unnecessarily.