Is linkedin-automation safe?

https://clawhub.ai/zich-dev/linkedin-automation

55
CAUTION

This LinkedIn automation skill is a browser-based social media automation tool that instructs an AI agent to perform actions on LinkedIn using the user's authenticated session. While no outright malicious code or data exfiltration to external endpoints was found, the install phase showed concerning access to .env, AWS credentials, and agent auth profiles. The skill's core functionality — autonomous posting, commenting, and engagement on behalf of the user's professional identity — carries significant reputation risk, LinkedIn ToS violation risk, and exposes sensitive professional data through browser session access.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 35/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (13)

HIGH Sensitive file access during install: .env and AWS credentials -35

Filesystem monitoring detected that during the install phase, the process accessed /home/oc-exec/.env and /home/oc-exec/.aws/credentials. While these may be part of the OpenClaw platform's normal initialization, a skill install should not need access to AWS credentials or environment secrets. The .aws/credentials file was opened and read (OPEN, ACCESS, CLOSE_NOWRITE). This access pattern is concerning because the skill claims to only need browser access for LinkedIn automation.

HIGH Agent auth-profiles.json accessed during install -30

The install process accessed the agent's authentication profiles file, which likely contains tokens or credentials for the agent's authenticated services. This file access is not justified by a LinkedIn automation skill's install requirements.

HIGH Autonomous browser actions on authenticated sessions without per-action consent -30

The SKILL.md instructs the agent to navigate to linkedin.com, click UI elements, type content, and submit posts using the user's authenticated browser session. The engage.sh workflow further instructs autonomous liking and commenting on posts. These are high-impact actions performed under the user's real professional identity with no per-action confirmation mechanism built into the skill.

HIGH Authenticated LinkedIn session exposes private professional data -35

The skill requires browser access to an authenticated LinkedIn session. Once the agent has browser control over a logged-in LinkedIn account, it has access to private messages, connection lists, profile details, email addresses of connections, and other sensitive professional data. The analytics workflow explicitly scrapes personal engagement metrics. While the skill doesn't appear to exfiltrate this data to external endpoints, the access surface is very broad.

MEDIUM Cron scheduling enables deferred autonomous agent actions -15

The schedule.sh script instructs users to set up cron jobs that inject future instructions into the agent via systemEvent payloads. This creates a mechanism for persistent, unsupervised autonomous behavior where the agent will post to LinkedIn on a schedule without real-time user oversight.

MEDIUM Engagement automation instructs agent to generate comments as the user -10

The engage.sh script and engagement.md reference file provide comment templates and instruct the agent to autonomously compose and post comments on other people's LinkedIn posts. The agent is acting as the user's professional identity, and poorly generated or contextually inappropriate comments could damage the user's reputation.

MEDIUM Five shell scripts with user-controlled input parameters -15

The skill includes 5 bash scripts that accept user input as arguments. While the scripts primarily output instruction text via heredocs (not directly dangerous), post.sh and schedule.sh pass user content ($CONTENT) directly into heredoc output without sanitization. The scripts use 'set -e' (post.sh) but variable expansion within heredocs could be exploited if content contains shell metacharacters in future versions.

MEDIUM LinkedIn ToS violation risk and account ban potential -25

LinkedIn's Terms of Service explicitly prohibit automated interactions. Using this skill could result in the user's LinkedIn account being restricted, suspended, or permanently banned. The skill acknowledges rate limits but still instructs automated engagement at scale (20-30 comments/day, 100 likes/day).

MEDIUM Skill could enable coordinated inauthentic behavior -20

The engagement automation features combined with cron scheduling could be used to create coordinated inauthentic behavior networks on LinkedIn - multiple accounts running this skill to boost each other's content. The engagement.md reference explicitly discusses 'Engagement Pods' for mutual boosting.

LOW Analytics workflow scrapes personal LinkedIn metrics -10

The analytics.sh workflow instructs the agent to navigate to LinkedIn's analytics dashboard and extract detailed personal metrics including impressions, engagement rates, profile views, and follower data. While this data belongs to the user, it's being collected and structured in a way that could be forwarded if combined with another skill or exfiltration vector.

LOW Temp file creation during install in /tmp/jiti and /tmp/openclaw -10

The install process created multiple CJS files in /tmp/jiti/ and a lock file in /tmp/openclaw-1000/. While these appear to be part of the OpenClaw platform's normal JIT compilation process, the creation of executable .cjs files in /tmp during install is noted.

INFO All canary files intact 0

No honeypot files (fake .env, SSH keys, AWS credentials) were modified or tampered with during the install or runtime phases. This is a positive signal.

INFO No npm install scripts, git hooks, submodules, or symlinks 0

The skill has no package.json with install scripts, no git hooks, no git submodules, and no symlinks. The shell scripts are straightforward heredoc output generators. No remote code download or execution was observed.