← 返回 Skills 市场
417
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install linkedin-cli-2
功能描述
Post to LinkedIn using the official API v2. Uses OAuth tokens so only post when explicitly asked or scheduled.
使用说明 (SKILL.md)
linkedin-cli
Post to LinkedIn using the official API v2. This tool is rate-limited by LinkedIn, so only use it when the user explicitly asks you to post, or during scheduled cron tasks. Do not speculatively draft and post content.
Setup
- Install (pinned to release tag):
npm install -g github:0xmythril/linkedin-cli#v1.0.0
- Create a LinkedIn app at https://www.linkedin.com/developers/apps
- Enable Sign In with LinkedIn using OpenID Connect and Share on LinkedIn products
- Add
http://localhost:8585/callbackto Authorized redirect URLs
- Configure credentials (file is created with restricted permissions):
mkdir -p ~/.config/linkedin-cli
touch ~/.config/linkedin-cli/.env
chmod 600 ~/.config/linkedin-cli/.env
cat > ~/.config/linkedin-cli/.env \x3C\x3C 'EOF'
LINKEDIN_CLIENT_ID=your_client_id
LINKEDIN_CLIENT_SECRET=your_client_secret
EOF
- Authenticate (opens browser for OAuth):
linkedin-cli auth
- Verify:
linkedin-cli whoami
Security
- Credentials: Stored in
~/.config/linkedin-cli/.env(read bydotenvat runtime). Setchmod 600to restrict access. - No postinstall scripts: The package has zero install scripts — verify via
npm pack --dry-runor inspectpackage.json. - No telemetry or network calls except to the official LinkedIn API (
api.linkedin.com) and OAuth (www.linkedin.com) when you run a command. - Pinned install: The install command pins to a specific release tag. Audit the source at https://github.com/0xmythril/linkedin-cli before installing.
- Dependencies: Only 3 runtime deps —
commander(CLI parsing),dotenv(env file loading),open(browser launch for OAuth). No transitive dependencies beyond these.
Commands
Verify auth
linkedin-cli whoami
Authenticate
linkedin-cli auth
Post a text update
linkedin-cli post "Your post text here"
Share a URL with commentary
linkedin-cli share "https://example.com/article" "Your commentary here"
Delete a post
linkedin-cli delete \x3Cpost-id-urn-or-url>
linkedin-cli delete https://www.linkedin.com/feed/update/urn:li:activity:7654321/
Important rules
- Do NOT post unless the user explicitly asks or a cron job triggers it. LinkedIn rate-limits API usage.
- Always confirm with the user before posting or sharing. Show them the text first.
- Keep posts professional — LinkedIn is a professional network.
- linkedin-cli accepts raw numeric IDs, full URNs, and LinkedIn post URLs.
- If you get a 401 error, the token has expired (~60 days). Ask the user to run
linkedin-cli authto re-authenticate. - This tool is for posting only. It cannot read feeds, search profiles, or send messages.
安全使用建议
Before installing or enabling this skill: 1) Inspect the GitHub repo (https://github.com/0xmythril/linkedin-cli) and review package.json and source for postinstall scripts, network endpoints, and telemetry claims — do not rely solely on the README. 2) Clarify why LINKEDIN_ACCESS_TOKEN is listed as required when the instructions show an interactive auth flow; if a token is needed for cron/headless use, ensure it's scoped and rotated regularly. 3) If you will allow autonomous invocation, consider disabling model invocation for this skill or require explicit confirmation prompts to avoid accidental posts. 4) Only install the pinned release after auditing it; if you cannot audit, avoid installing a globally writable npm package from a personal repo. 5) Store client_secret and tokens with restricted file permissions (chmod 600) as instructed and consider using a secrets manager for long-lived environments.
功能分析
Type: OpenClaw Skill
Name: linkedin-cli-2
Version: 0.1.0
The skill is classified as suspicious due to its reliance on installing an external npm package from a GitHub repository (`github:0xmythril/linkedin-cli`) via `npm install -g` as specified in `SKILL.md`. While the installation is pinned to a specific version and the skill's documentation claims the package is secure with no postinstall scripts or telemetry, installing external dependencies from a remote source introduces a supply chain risk. This constitutes a risky capability without clear malicious intent, aligning with the 'suspicious' classification threshold.
能力评估
Purpose & Capability
Name/description (post to LinkedIn via API v2) align with required binary 'linkedin-cli' and the described commands. However, the declared required env vars include LINKEDIN_ACCESS_TOKEN while the SKILL.md's setup flow documents creating LINKEDIN_CLIENT_ID and LINKEDIN_CLIENT_SECRET and using 'linkedin-cli auth' to obtain a token — the ACCESS_TOKEN requirement is not explained in the instructions.
Instruction Scope
SKILL.md instructions stay within the expected scope (install, create ~/.config/linkedin-cli/.env, run oauth, post/delete). The guidance to 'only post when explicitly asked' is policy text, not an enforced technical restriction — the agent can be invoked autonomously by default, so this is a behavior guideline rather than a safeguard. The skill claims no network calls except to LinkedIn endpoints, which cannot be verified from an instruction-only skill.
Install Mechanism
Registry metadata says 'No install spec' (instruction-only), but SKILL.md contains an 'openclaw.install' entry that pins an npm install from a GitHub repo: 'npm install -g github:0xmythril/linkedin-cli#v1.0.0'. Installing code from a GitHub repo via npm is common but higher risk than an audited package; the install is pinned (good) but should be audited. The mismatch between 'no install spec' and the embedded install command is an inconsistency that should be clarified.
Credentials
The skill declares three required env vars (LINKEDIN_CLIENT_ID, LINKEDIN_CLIENT_SECRET, LINKEDIN_ACCESS_TOKEN). Client ID/secret are reasonable for OAuth. Requiring LINKEDIN_ACCESS_TOKEN as a required env var is odd because the SKILL.md documents an interactive 'linkedin-cli auth' flow to obtain the token and stores credentials in ~/.config/linkedin-cli/.env. It's unclear whether an access token is mandatory up front or optional for headless operation. Requesting an access token and client secret gives high-value access — justify why all three are required and whether least-privilege (scoped tokens) is used.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide settings. It uses a per-user config file (~/.config/linkedin-cli/.env) which is proportionate. Note: the agent's ability to autonomously invoke the skill (disable-model-invocation: false) is the platform default; combined with OAuth posting rights this increases impact if the agent were compromised — consider restricting autonomous invocation if you are concerned about accidental posts.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install linkedin-cli-2 - 安装完成后,直接呼叫该 Skill 的名称或使用
/linkedin-cli-2触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of linkedin-cli-2
- Post to LinkedIn using the official API v2 with OAuth authentication.
- Requires explicit user action or scheduling for posting; does not post speculatively.
- Provides commands to authenticate, verify authentication, post text updates, share URLs, and delete posts.
- Credentials are stored securely in a local config file with restricted permissions.
- No telemetry, no postinstall scripts, and minimal dependencies for improved security.
元数据
常见问题
Linkedin Cli 是什么?
Post to LinkedIn using the official API v2. Uses OAuth tokens so only post when explicitly asked or scheduled. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 417 次。
如何安装 Linkedin Cli?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install linkedin-cli-2」即可一键安装,无需额外配置。
Linkedin Cli 是免费的吗?
是的,Linkedin Cli 完全免费(开源免费),可自由下载、安装和使用。
Linkedin Cli 支持哪些平台?
Linkedin Cli 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Linkedin Cli?
由 0xmythril(@0xmythril)开发并维护,当前版本 v0.1.0。
推荐 Skills