ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Publora Linkedin

v2.0.1

Post or schedule content to LinkedIn using the Publora API. Use this skill when the user wants to publish or schedule LinkedIn posts, retrieve analytics (imp...

1· 671·2 current·2 all-time
bySergey Bulaev@sergebulaev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (post/schedule LinkedIn posts via the Publora API) matches the runtime examples in SKILL.md, but the manifest declares no primary credential or required env vars even though every request example uses an x-publora-key header. Also there is no homepage or source repository to verify the publisher.
!
Instruction Scope
Instructions are limited to calling https://api.publora.com endpoints (posting, scheduling, analytics, reactions, comments). However SKILL.md refers to a separate 'publora' core skill for auth and other docs but the registry metadata does not declare that dependency or explain how the x-publora-key will be provided, leaving an operational gap and possible scope creep if the agent is left to obtain secrets or other context on its own.
Install Mechanism
No install spec and no code files (instruction-only) — lowest install risk. Nothing is downloaded or executed on disk by an installer.
!
Credentials
SKILL.md expects an API key (x-publora-key: sk_YOUR_KEY) but requires.env and primary credential are empty. That mismatch means the skill will either fail, prompt the user to paste a secret at runtime, or the agent may attempt to locate credentials — none of which is declared. Also sending post content and analytics to a third-party service exposes potentially sensitive data; no guidance on least-privilege keys or scopes is provided.
Persistence & Privilege
No elevated persistence requested (always:false). The skill does not request system-wide configuration changes or other skills' credentials. Autonomous invocation is allowed (default) but that alone is not a flag — only combine with other concerns.
What to consider before installing
This skill appears to be a straightforward Publora LinkedIn wrapper, but the manifest is missing key provenance and a declared API credential. Before installing: (1) verify the publisher/source (there's no homepage or repo listed); (2) confirm how the Publora API key is provided — ask the author to declare a primaryEnv like PUBLORA_API_KEY or similar; (3) prefer creating a least-privilege Publora key and understand its scopes; (4) be aware the agent will send post text/media and analytics to api.publora.com (avoid sending sensitive content); (5) if you don't trust the publisher, don't provide secrets or allow autonomous agent runs that can publish on your LinkedIn accounts. If the maintainer can supply a repository, homepage, and explicit required-env metadata, re-evaluate then.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b6v6ka591s9sgc34pmsexxh839dbf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments