Is linkedin-cli safe?

https://clawhub.ai/arun-8687/linkedin-cli

52
CAUTION

This skill provides a CLI interface to LinkedIn using session cookie authentication. While the code itself appears to function as advertised with no overt malicious behavior, it poses significant security risks: it requires exporting full LinkedIn session tokens as environment variables (exposing them to any process and the LLM context), depends on an unofficial unaudited PyPI package that could be supply-chain compromised, and funnels private LinkedIn data (messages, connections) through the LLM's context window where it may be logged or leaked. The filesystem monitoring also shows access to .env and .aws/credentials during installation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 25/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (8)

CRITICAL LinkedIn session token exposure via environment variables -35

The skill requires users to export their LinkedIn session cookies (li_at and JSESSIONID) as environment variables. These tokens grant full, unrestricted access to the user's LinkedIn account. Any process in the environment can read these, and they persist in shell history, .bashrc, or .zshrc if exported there. The tokens are passed through the agent's tool execution context, exposing them in logs and conversation history.

HIGH Private LinkedIn data enters LLM context window -20

Commands like 'lk messages', 'lk feed', and 'lk profile' output private LinkedIn data (direct messages, feed content, profile details) to stdout, which the LLM agent ingests into its context. This data may be logged by the platform, included in conversation exports, or influence future responses in ways that leak private information.

HIGH Dependency on unofficial, unaudited PyPI package -40

The skill requires 'pip install linkedin-api', an unofficial reverse-engineered LinkedIn client. This package executes arbitrary code during installation (via setup.py) and at runtime. It is not maintained by LinkedIn and has no security guarantees. A supply chain compromise of this package would give an attacker access to the user's LinkedIn session tokens and full agent execution environment.

HIGH Executable Python script with full environment access -30

The lk.py script runs as a shell subprocess with access to all environment variables, not just the LinkedIn tokens. It imports third-party code (linkedin-api, requests) that has unrestricted network and filesystem access within the execution sandbox.

MEDIUM Sensitive file access during installation -25

Filesystem monitoring detected reads of /home/oc-exec/.env and /home/oc-exec/.aws/credentials during the install phase. While these may be attributable to the openclaw runtime rather than the skill itself, the access pattern is noteworthy — especially .aws/credentials which contains AWS secret keys.

MEDIUM Trojan horse potential via version updates -15

The skill's functionality is plausible and the current code appears to do what it claims. However, the skill auto-updates from clawhub.ai, and a future version could silently add exfiltration code targeting the session tokens, environment variables, or filesystem. The unofficial linkedin-api dependency is also an update vector for supply chain attacks.

LOW No prompt injection detected -10

The SKILL.md content is straightforward documentation without hidden instructions, unicode tricks, or persona manipulation. The metadata section is clean.

MEDIUM LinkedIn Terms of Service violation risk -15

Using reverse-engineered session cookies to automate LinkedIn access violates LinkedIn's Terms of Service. LinkedIn actively detects and blocks such usage, which could result in the user's account being suspended or permanently banned. The skill does not warn users about this risk.