Safety Report

LinkedIn CLI

Name: LinkedIn CLI
Rating: 5 (10 reviews)
Author: arun-8687

@arun-8687

A bird-like LinkedIn CLI for searching profiles, checking messages, and summarizing your feed using session cookies.

3,847Downloads

20Installs

10Stars

1Versions

Search & Retrieval2,116 File Management2,100 CLI & Shell Tools1,805 Social Media1,367

Security Analysis

high confidence

Clean0.08 risk

The skill's code, declared requirements, and runtime instructions are coherent with its stated purpose (a CLI that uses LinkedIn session cookies); nothing requests unrelated credentials or installs unexpected tooling — but the necessary use of session cookies is sensitive and should be handled carefully.

Feb 11, 20262 files2 concerns

Purpose & Capabilityok

Name/description (LinkedIn CLI) match the actual behavior: the script is a Python CLI that uses LinkedIn session cookies to call LinkedIn via the third‑party linkedin-api library. Required binary (python3) and the two cookie env vars (li_at and JSESSIONID) are proportional to that purpose.

Instruction Scopenote

SKILL.md instructs users to extract li_at and JSESSIONID from browser DevTools and set them as environment variables — this is consistent with how cookie-based authentication works, but it is sensitive: the instructions require copying session cookies (which grant account access). The instructions do not tell the agent to read unrelated files or exfiltrate data to other endpoints; the code only calls LinkedIn via the linkedin-api library.

Install Mechanismok

No install spec (instruction-only) and a small dependency requirement (pip install linkedin-api). This is low-risk for the skill bundle itself; however, installing third‑party Python packages is a normal risk vector — users should vet the linkedin-api package and its source before installing.

Credentialsnote

Only the two cookie env vars (LINKEDIN_LI_AT, LINKEDIN_JSESSIONID) are required and they directly map to the stated cookie-based auth. That is proportionate, but both variables are effectively account credentials and present a high-sensitivity risk if leaked or stored in shared environments.

Persistence & Privilegeok

Skill does not request permanent presence (always: false), does not modify other skill or system configs, and does not request extra privileges beyond reading two environment variables at runtime.

Guidance

This skill is internally consistent, but it requires sensitive session cookies — treat them like passwords. Before installing or running: - Only run the code locally on a trusted machine; inspect scripts/lk.py yourself (it’s short and readable). - Vet the linkedin-api Python package (source repository, recent commits, maintainers) before pip installing. - Avoid pasting li_at/JSESSIONID into chat, logs, or shared shells; use ephemeral shell sessions or a dedicated automation account. - Understand these cookies grant access to your LinkedIn account; consider using an API/OAuth flow or a separate account for automation where possible. - If you stop using the skill, rotate/revoke the session cookies (log out of LinkedIn or change password) to invalidate them. If you want, I can summarize exactly where the script uses the cookies and point out which lines you should review in more detail.

Latest Release

v1.0.0

Initial release of lk CLI

More by @arun-8687

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @arun-8687 on ClawHub