LinkedIn Automation by Linked API
v1.0.1LinkedIn automation skill — search people and companies, fetch profiles, send messages and InMails, manage connections, create posts, react, comment. Support...
⭐ 1· 479·0 current·0 all-time
byVlad Prudnikov@vprudnikoff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (LinkedIn automation) matches the behavior described in SKILL.md: a CLI that can fetch profiles, search, send messages, post, etc. Requiring authentication tokens to control a LinkedIn account is expected. However, the registry metadata lists no required credentials or primaryEnv while the runtime instructions explicitly require two tokens (Linked API Token and Identification Token). That mismatch (no declared primary credential but clear runtime requirement) is an incoherence worth noting.
Instruction Scope
The SKILL.md instructs the agent (and user) to install and use a third‑party CLI (@linkedapi/linkedin-cli) and to obtain two tokens from app.linkedapi.io. The service runs a 'cloud browser' that performs actions on the user's LinkedIn account. That means sensitive credentials and account actions will be transmitted to and executed by an external service. While this is necessary for the stated automation capability, it expands the trust surface considerably (credential sharing, remote actions, and possible data disclosure). The instructions do not reference reading arbitrary local files or other unrelated environment variables.
Install Mechanism
There is no install spec in the registry (instruction-only skill), but SKILL.md tells users to run: npm install -g @linkedapi/linkedin-cli. Installing a global npm package from the public registry is a reasonable distribution method for a CLI, but it carries moderate risk because the package will execute code on the host and the registry entry provides no information about the package author, homepage, or auditability. The instruction to install from npm is expected for a CLI but would be safer if the skill metadata included the package source and publisher.
Credentials
The skill requires two sensitive tokens (Linked API Token and Identification Token) for full functionality. Those tokens effectively grant the third‑party service the ability to perform LinkedIn actions on the user's behalf (send messages, connect, post). The registry metadata lists no required env vars or primary credential, but the runtime flow expects tokens to be provided and stored via the CLI. That omission in metadata reduces transparency and makes it harder for users to spot the risk before installation.
Persistence & Privilege
The skill does not request 'always: true' and uses default model invocation settings. There is no instruction in SKILL.md to modify other skills or system-wide agent settings. The CLI will likely store tokens locally when run (per the setup command), which is normal for a CLI but should be checked by the user.
What to consider before installing
This skill appears to do what it says (automate LinkedIn via a CLI), but it depends on a third‑party service (app.linkedapi.io) that uses a cloud browser to act on your LinkedIn account. Before installing or providing any tokens: 1) Verify the npm package (@linkedapi/linkedin-cli) author/publisher and inspect the package on the npm registry (and ideally its source code) to confirm behavior. 2) Confirm app.linkedapi.io's identity and review its privacy/security policy—understand exactly what the tokens permit and how they are stored/transmitted. 3) Prefer least privilege: if possible, test with a throwaway LinkedIn account, and ask where the CLI stores tokens locally and whether they can be revoked. 4) If you need stricter guarantees, request skill metadata to declare required credentials/primaryEnv and a homepage or source repository; absence of those is a transparency gap. If you are uncomfortable sharing account tokens with an unknown third party, do not install or use this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97b2m69z93njtvxhnffen95kx81s6y6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.