ClawHub

linkedin-human-warmup

v0.1.0

Human-like LinkedIn warmup for new/cold accounts via AdsPower+CDP. Features non-deterministic behavior scripts, connect preconditions based on browsing inten...

0· 294·0 current·0 all-time
by@weimingboya
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (LinkedIn warmup via AdsPower + CDP) is consistent with the included script and instructions: the Python script controls AdsPower's local API and the SKILL.md describes CDP/browser operations. However, the skill metadata declares no required environment variables or binaries while the code expects an AdsPower API endpoint and optional API key (ADSPOWER_BASE_URL, ADSPOWER_API_KEY). That omission is an incoherence between purpose and declared requirements.
!
Instruction Scope
SKILL.md instructs the agent to read and append files under memory/linkedin/ (read MEMORY.md and last 5 daily logs, create files if missing) and to run adspower_browser.py to start/stop AdsPower. These are explicit file I/O and local network actions. The instructions do not declare these filesystem accesses in the metadata and grant the agent broad discretion to autonomously choose scripts/plans, which could lead to unexpected reads/writes if the runtime environment differs from expectations.
!
Install Mechanism
There is no install spec. The included Python script imports httpx but the skill provides no installation instructions or dependency manifest; runtime will fail or behave unpredictably if httpx (and Python) are absent. The lack of an install step for a script that will be invoked by SKILL.md is a packaging inconsistency and operational risk.
!
Credentials
Metadata declares no required env vars, but the script reads ADSPOWER_BASE_URL (defaults to http://127.0.0.1:50325) and ADSPOWER_API_KEY from environment. Requesting an AdsPower API key (a credential) is proportionate to controlling AdsPower, but it is not declared in the skill metadata. This mismatch reduces transparency and could lead to accidental exposure of a sensitive API key. The skill does not request unrelated cloud credentials.
Persistence & Privilege
The skill is not marked always:true and does not attempt to modify other skills or system-wide settings. It does persist per-account 'memory' files under memory/linkedin/, which is expected by its design but means it will write local files; ensure you are comfortable with that local persistence. Autonomous invocation (model calls skill) is allowed by default — combined with the other concerns this increases potential impact but is not itself a defect.
What to consider before installing
This skill is generally coherent with its stated goal (it orchestrates AdsPower+CDP and simulates human browsing), but the package omits important operational declarations. Before installing: 1) Confirm you run an AdsPower Local API reachable at ADSPOWER_BASE_URL (default localhost) and understand that the skill will call it; 2) Be prepared to supply ADSPOWER_API_KEY in the environment if your AdsPower requires authentication — the skill reads this env var even though it isn't declared; 3) Ensure the runtime has Python and the httpx package (the repo provides no install step); 4) Be aware the agent will read and append files under memory/linkedin/ (local filesystem writes) — review/backup that path if needed; 5) Recognize the tool automates actions designed to mimic human behavior on LinkedIn (may violate LinkedIn Terms of Service and can result in account suspension); 6) If you still want to proceed, run the script in an isolated environment (container/VM), inspect adspower_browser.py directly, and only provide ADSPOWER_API_KEY if you trust the environment. If possible ask the publisher to update the skill metadata to declare required env vars and dependencies and to provide an install spec.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fge6pab10qj7je9n5rfcnhh825krm
294downloads
0stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
@weimingboya
latest
Download

linkedin-human-warmup

面向 LinkedIn 新号/冷号的「拟人化养号」Skill。

目标:让账号行为更像真实用户的长期分布(意图链路、犹豫/返回/走神、被动增长),而不是每天稳定产出 connect。

Inputs

  • user_id:AdsPower profile id(也是 browser profile 名称)
  • cdp_port:CDP 调试端口

Core workflow

按以下顺序执行,在剧本选择和具体行为上自主决策。

1) 读取记忆

  • memory/linkedin/MEMORY.md(账号全貌:状态、累计数据、风控记录、当前约束、内容偏好)
  • 读最近 5 天的 memory/linkedin/YYYY-MM-DD.md(含今天,用于判断近期剧本分布和 connect 频率)
  • 首次运行:若 memory/linkedin/ 不存在或为空,视为全新账号,默认选择保守剧本(PureFeed / DistractedWander),本次 0 connect

记忆决定行为边界:如果记忆显示近期风险偏高或处于冷却期,本次强制 0 connect。

2) 选择剧本

  • references/behavior-scripts.md 自主选择一个剧本
  • 选择时综合考虑:记忆中的近期行为分布、距上次 connect 的天数、风险状态
  • 允许"本次什么都不做就退出"(这是拟人化的一部分)

3) 写 plan

  • 用自然语言写 5-10 步 plan
  • plan 中停留/滚动/hover/返回/中断至少出现一种
  • plan 允许以"什么都不做"或"只看不动"结束

4) 启动浏览器 → 执行 → 关闭浏览器

  • 必须先通过脚本启动 AdsPower 浏览器,再连接 CDP、检测登录、按 plan 行动、最后关闭浏览器
  • 重要:所有 browser 工具调用必须全程指定 profile=<USER_ID>,确保操作始终在目标实例中执行
  • 具体操作步骤见 references/browser-ops.md
  • 任何一步出现风控信号:立刻停止(见 references/risk-signals.md

5) 写入记忆

  • 每次执行结束都写 memory/linkedin/YYYY-MM-DD.md(哪怕 0 操作)
  • 自然语言 写两三句话,像日记不像工单(严格参照 references/memory-spec.md 中的日志示例格式)
  • memory/linkedin/MEMORY.md 自主判断是否需要更新

6) 输出报告

简短汇报即可,包含:你的名字、剧本、做了什么、connect 数、风控状态、浏览器是否已关闭。不要反问用户下次该怎么做——你自主决策。

Hard rules(不可违反)

  • 风控优先:出现验证码/身份验证/异常活动警告 → 立即停止并关闭浏览器
  • 禁止 KPI 行为:不要为了完成 connect 指标去找人加
  • Connect 需要证据链:connect 前必须有浏览意图(内容/推荐触发 → profile 浏览 → 决策)
  • Note 不强制:遇到限制就记录,不用纠结

References(按需读取)

  • references/browser-ops.md:浏览器启动/连接/登录/关闭操作(执行 Step 4 时读)
  • references/behavior-scripts.md:剧本库(选择剧本时读)
  • references/risk-signals.md:风控信号与停止策略(执行前或遇到异常时读)
  • references/memory-spec.md:记忆写法规范与日志示例(写日志时读)

Comments

Loading comments...