← Back to Skills Marketplace
0xmythril

Linkedin Cli

by 0xmythril · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
417
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install linkedin-cli-2
Description
Post to LinkedIn using the official API v2. Uses OAuth tokens so only post when explicitly asked or scheduled.
README (SKILL.md)

linkedin-cli

Post to LinkedIn using the official API v2. This tool is rate-limited by LinkedIn, so only use it when the user explicitly asks you to post, or during scheduled cron tasks. Do not speculatively draft and post content.

Setup

  1. Install (pinned to release tag):
npm install -g github:0xmythril/linkedin-cli#v1.0.0
  1. Create a LinkedIn app at https://www.linkedin.com/developers/apps
    • Enable Sign In with LinkedIn using OpenID Connect and Share on LinkedIn products
    • Add http://localhost:8585/callback to Authorized redirect URLs
  2. Configure credentials (file is created with restricted permissions):
mkdir -p ~/.config/linkedin-cli
touch ~/.config/linkedin-cli/.env
chmod 600 ~/.config/linkedin-cli/.env
cat > ~/.config/linkedin-cli/.env \x3C\x3C 'EOF'
LINKEDIN_CLIENT_ID=your_client_id
LINKEDIN_CLIENT_SECRET=your_client_secret
EOF
  1. Authenticate (opens browser for OAuth):
linkedin-cli auth
  1. Verify: linkedin-cli whoami

Security

  • Credentials: Stored in ~/.config/linkedin-cli/.env (read by dotenv at runtime). Set chmod 600 to restrict access.
  • No postinstall scripts: The package has zero install scripts — verify via npm pack --dry-run or inspect package.json.
  • No telemetry or network calls except to the official LinkedIn API (api.linkedin.com) and OAuth (www.linkedin.com) when you run a command.
  • Pinned install: The install command pins to a specific release tag. Audit the source at https://github.com/0xmythril/linkedin-cli before installing.
  • Dependencies: Only 3 runtime deps — commander (CLI parsing), dotenv (env file loading), open (browser launch for OAuth). No transitive dependencies beyond these.

Commands

Verify auth

linkedin-cli whoami

Authenticate

linkedin-cli auth

Post a text update

linkedin-cli post "Your post text here"

Share a URL with commentary

linkedin-cli share "https://example.com/article" "Your commentary here"

Delete a post

linkedin-cli delete \x3Cpost-id-urn-or-url>
linkedin-cli delete https://www.linkedin.com/feed/update/urn:li:activity:7654321/

Important rules

  • Do NOT post unless the user explicitly asks or a cron job triggers it. LinkedIn rate-limits API usage.
  • Always confirm with the user before posting or sharing. Show them the text first.
  • Keep posts professional — LinkedIn is a professional network.
  • linkedin-cli accepts raw numeric IDs, full URNs, and LinkedIn post URLs.
  • If you get a 401 error, the token has expired (~60 days). Ask the user to run linkedin-cli auth to re-authenticate.
  • This tool is for posting only. It cannot read feeds, search profiles, or send messages.
Usage Guidance
Before installing or enabling this skill: 1) Inspect the GitHub repo (https://github.com/0xmythril/linkedin-cli) and review package.json and source for postinstall scripts, network endpoints, and telemetry claims — do not rely solely on the README. 2) Clarify why LINKEDIN_ACCESS_TOKEN is listed as required when the instructions show an interactive auth flow; if a token is needed for cron/headless use, ensure it's scoped and rotated regularly. 3) If you will allow autonomous invocation, consider disabling model invocation for this skill or require explicit confirmation prompts to avoid accidental posts. 4) Only install the pinned release after auditing it; if you cannot audit, avoid installing a globally writable npm package from a personal repo. 5) Store client_secret and tokens with restricted file permissions (chmod 600) as instructed and consider using a secrets manager for long-lived environments.
Capability Analysis
Type: OpenClaw Skill Name: linkedin-cli-2 Version: 0.1.0 The skill is classified as suspicious due to its reliance on installing an external npm package from a GitHub repository (`github:0xmythril/linkedin-cli`) via `npm install -g` as specified in `SKILL.md`. While the installation is pinned to a specific version and the skill's documentation claims the package is secure with no postinstall scripts or telemetry, installing external dependencies from a remote source introduces a supply chain risk. This constitutes a risky capability without clear malicious intent, aligning with the 'suspicious' classification threshold.
Capability Assessment
Purpose & Capability
Name/description (post to LinkedIn via API v2) align with required binary 'linkedin-cli' and the described commands. However, the declared required env vars include LINKEDIN_ACCESS_TOKEN while the SKILL.md's setup flow documents creating LINKEDIN_CLIENT_ID and LINKEDIN_CLIENT_SECRET and using 'linkedin-cli auth' to obtain a token — the ACCESS_TOKEN requirement is not explained in the instructions.
Instruction Scope
SKILL.md instructions stay within the expected scope (install, create ~/.config/linkedin-cli/.env, run oauth, post/delete). The guidance to 'only post when explicitly asked' is policy text, not an enforced technical restriction — the agent can be invoked autonomously by default, so this is a behavior guideline rather than a safeguard. The skill claims no network calls except to LinkedIn endpoints, which cannot be verified from an instruction-only skill.
Install Mechanism
Registry metadata says 'No install spec' (instruction-only), but SKILL.md contains an 'openclaw.install' entry that pins an npm install from a GitHub repo: 'npm install -g github:0xmythril/linkedin-cli#v1.0.0'. Installing code from a GitHub repo via npm is common but higher risk than an audited package; the install is pinned (good) but should be audited. The mismatch between 'no install spec' and the embedded install command is an inconsistency that should be clarified.
Credentials
The skill declares three required env vars (LINKEDIN_CLIENT_ID, LINKEDIN_CLIENT_SECRET, LINKEDIN_ACCESS_TOKEN). Client ID/secret are reasonable for OAuth. Requiring LINKEDIN_ACCESS_TOKEN as a required env var is odd because the SKILL.md documents an interactive 'linkedin-cli auth' flow to obtain the token and stores credentials in ~/.config/linkedin-cli/.env. It's unclear whether an access token is mandatory up front or optional for headless operation. Requesting an access token and client secret gives high-value access — justify why all three are required and whether least-privilege (scoped tokens) is used.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide settings. It uses a per-user config file (~/.config/linkedin-cli/.env) which is proportionate. Note: the agent's ability to autonomously invoke the skill (disable-model-invocation: false) is the platform default; combined with OAuth posting rights this increases impact if the agent were compromised — consider restricting autonomous invocation if you are concerned about accidental posts.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install linkedin-cli-2
  3. After installation, invoke the skill by name or use /linkedin-cli-2
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of linkedin-cli-2 - Post to LinkedIn using the official API v2 with OAuth authentication. - Requires explicit user action or scheduling for posting; does not post speculatively. - Provides commands to authenticate, verify authentication, post text updates, share URLs, and delete posts. - Credentials are stored securely in a local config file with restricted permissions. - No telemetry, no postinstall scripts, and minimal dependencies for improved security.
Metadata
Slug linkedin-cli-2
Version 0.1.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Linkedin Cli?

Post to LinkedIn using the official API v2. Uses OAuth tokens so only post when explicitly asked or scheduled. It is an AI Agent Skill for Claude Code / OpenClaw, with 417 downloads so far.

How do I install Linkedin Cli?

Run "/install linkedin-cli-2" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Linkedin Cli free?

Yes, Linkedin Cli is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Linkedin Cli support?

Linkedin Cli is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Linkedin Cli?

It is built and maintained by 0xmythril (@0xmythril); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments