Is dylanbaker24/linkedin-monitor safe?

lk.py's cmd_auth_setup function writes LinkedIn session cookies (li_at and JSESSIONID) to ~/.clawdbot/linkedin-monitor/credentials.json in plaintext JSON. These cookies provide full LinkedIn account access until session expiry. Any process or skill with read access to the home directory can steal them.

At autonomy levels 2 and 3, the agent sends messages on behalf of the user without approval, books calendar meetings, and networks autonomously. SKILL.md and CRON-PAYLOAD.md both describe this behavior. A misconfiguration, compromised config, or malicious LinkedIn message that escalates the autonomy level could result in the agent sending arbitrary messages as the user at scale.

lk.py imports linkedin_api, an unofficial reverse-engineered LinkedIn client that operates outside LinkedIn's official API. The package is not pinned to a specific version, meaning future updates could introduce breaking changes or supply-chain risks. This package makes direct HTTP requests to LinkedIn's internal voyager API endpoints.

CRON-PAYLOAD.md is a structured instruction set that gets injected into the agent's context during hourly cron execution, directing filesystem reads, browser operations, state mutations, and channel posts. This functions as a persistent secondary system prompt that executes on a schedule, outside the user's immediate supervision.

The skill requires a browser profile to remain logged into LinkedIn 24/7. This means a perpetually authenticated browser session exists on the host. Any skill or process with browser tool access can navigate to LinkedIn and operate with full account privileges without re-authentication.

The skill reads USER.md to draft replies 'in your voice'. This means the agent processes and encodes the user's communication style, tone, and patterns. Combined with autonomous reply levels, the agent can impersonate the user convincingly in professional contexts without visible disclosure.

auditd PATH syscall records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at timestamp 1771912189.405-406, after skill installation completed. The batch read pattern (6 files, sequential audit IDs, identical timestamp) is consistent with Oathe's own post-install verification scan, but cannot be fully attributed without process-level correlation.

SKILL.md instructs users to run npm install -g lk as the LinkedIn CLI dependency, but the repo includes a local scripts/lk.py as the actual implementation. No npm package named 'lk' with matching functionality exists in the package.json. This mismatch could cause confusion and lead users to install an unrelated or malicious npm package named 'lk'.

The cron wrapper and CRON-PAYLOAD.md instruct the agent to post LinkedIn message content (including full message text) to configured external channels (Discord, Telegram, Slack, WhatsApp). This means private LinkedIn conversations are relayed to third-party platforms.

linkedin-monitor enable installs a cron entry (0 * * * *) that runs autonomously every hour. After initial setup, the agent operates on the user's LinkedIn account without user-initiated sessions. At Level 1 this requires approval to send, but the monitoring, drafting, and Discord posting occur automatically.

.clawhub/lock.json shows academic-research-hub is installed in the same skill environment. While not a finding about this skill specifically, co-installed skills can interact through shared filesystem paths, browser sessions, and agent context.