LinkedIn automation — post (with image upload), comment (with @mentions), edit/delete comments, repost, read feed, analytics, like monitoring, engagement tracking, and content calendar with approval workflow. Uses Playwright with persistent browser profile. Use for any LinkedIn task including content strategy, scheduled publishing, engagement analysis, and audience growth.
Security Analysis
medium confidenceThe skill mostly does what it claims (browser-based LinkedIn automation) but contains several mismatches and risky defaults (hidden file paths, local webhook with permissive CORS, hardcoded user-specific logic, and undocumented environment/config needs) that you should review before use.
Name/description (LinkedIn automation) matches the code: Playwright-based browser automation for posting, commenting, scraping, analytics and a content-calendar webhook. However there are some unexpected or specific choices — e.g., defaults and comments that reference particular people ('Andreas Kulpa') and server paths (/var/www/preview) that are not explained by the stated purpose.
Runtime instructions ask you to provide a persistent Chromium profile (i.e., an active LinkedIn session) and to run a local webhook service. The code performs read/write of local files, scans other profiles (scrape/activity/analytics/feed), and can auto-apply edits via the webhook — despite the SKILL.md warning against scraping/commercial use. The webhook serves JSON with CORS='*' (although bound to 127.0.0.1 by default). These behaviors expand scope beyond simple read-only analytics and require care.
No automated install spec is included (instruction-only), but the code requires Playwright (requirements.txt) and manual setup (pip install/playwright install chromium). This is expected for a Playwright-based tool; risk is moderate because Playwright downloads browsers and runs local automation.
Registry metadata lists no required env vars, but SKILL.md and the code use multiple env vars (LINKEDIN_BROWSER_PROFILE, LINKEDIN_DEBUG, LINKEDIN_LIKES_STATE, CC_DATA_FILE, CC_ACTIONS_FILE, CC_WEBHOOK_PORT, CC_WAKE_FILE, LINKEDIN_VENV_PACKAGES). The skill needs access to a persistent browser profile (which implicitly gives it your logged-in LinkedIn session). That is expected for the purpose, but it is a high-privilege artifact and should be isolated; the mismatch between declared and actually used env vars is misleading.
The skill is not always-included and does not request elevated platform flags, but it persists state to disk (~/.linkedin-likes-state.json, ~/.linkedin-style.json), writes webhook data files, and the default data file path (/var/www/preview/cc-data.json) could expose content if that directory is web-served. It also suggests running the webhook as a systemd service and auto-posting via cron — these increase persistent presence and blast radius if misconfigured.
Guidance
This skill is functionally coherent with LinkedIn browser automation but contains multiple risky defaults and undocumented assumptions. Before installing or running it: 1) Review and change default file paths (avoid /var/www/preview; set data and actions files to a safe user-owned directory). 2) Run the automation with a dedicated Chromium profile created only for automation (do not point it at a browser profile that contains other accounts or unrelated cookies). 3) Keep the webhook bound to localhost and do not port-forward it; if you must expose it, add authentication and remove CORS '*' first. 4) Audit the code for any automatic actions — the webhook will auto-apply simple edits and the skill supports cron auto-posting; ensure you understand and disable any automatic posting or auto-apply behavior unless you explicitly want it. 5) Note the hardcoded/person-specific logic (e.g., name filtering) and adjust or remove it. 6) Run the tool in an isolated environment (VM/container) until you are confident it behaves as expected. If you are uncomfortable with any of these steps or do not understand how to isolate a browser profile, avoid installing or running the skill.
Latest Release
v1.0.1
- Added content calendar support with approval-based publishing workflow and webhook integration. - Introduced image upload for posts, including automatic handling of LinkedIn’s image editor. - Added new documentation: `references/content-calendar.md` (content calendar setup and API). - Added `scripts/cc-webhook.py` for webhook handling. - Removed `CLAUDE.md` documentation. - Updated skill description to reflect content scheduling, approval, and enhanced image handling.
Popular Skills
Published by @red777777 on ClawHub
