📦 Linkedin Content Machine — 一键生成领英内容
v1.0.1输入 YouTube 视频即可自动生成 10 条贴合品牌调性的个性化 LinkedIn 动态与邮件模板,内容可直接发布,节省创作与排版时间。
0· 274·1 当前·1 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Do not install or run this skill without reviewing the executable scripts. Specific steps to take before proceeding:
- Inspect the contents of linkedin-post-generator, linkedin-research, linkedin-email-template, and quickstart to see what network endpoints they contact and whether they expect credentials or contain hard-coded URLs.
- Verify why clawhub.yaml lists an install step and a symlink to /usr/local/bin while the registry metadata reported 'no install spec' — this inconsistency should be ...详细分析 ▾
⚠ 用途与能力
The skill claims to transform YouTube videos into LinkedIn posts and to perform creator research and outreach. The repository manifest (clawhub.yaml and package.json) declares Node and bash requirements and an installation that symlinks a CLI into /usr/local/bin—these are plausible for a CLI tool but are not reflected in the top-level 'Requirements' metadata which lists none. That mismatch (metadata says no install/requirements, but files indicate npm, node, bash, and a system symlink) is an incoherence: a simple text-generation skill would not necessarily need to install CLI binaries into system paths.
⚠ 指令范围
SKILL.md instructs the agent to run local commands (linkedin-research, linkedin-generate/linkedin-post-generator, linkedin-email-template). The skill also advertises sending personalized outreach emails and researching creators, but there are no declared environment variables or instructions for API keys/SMTP credentials. That gap is suspicious: either the commands will prompt for credentials interactively, will perform web scraping (not documented), or will attempt to send email without explicit credential configuration. Also there's a minor command-name inconsistency (SKILL.md references 'linkedin-generate' while entrypoints/reference files use 'linkedin-post-generator').
⚠ 安装机制
Although the registry metadata said 'No install spec', the included clawhub.yaml contains an install section that runs 'npm install' and creates a symlink from 'linkedin-post-generator' to /usr/local/bin. Running npm install and creating symlinks under /usr/local/bin writes to system paths and may require elevated privileges; this increases risk compared to an instruction-only skill. The repository URL points to GitHub (traceable), but the presence of an install script that modifies system directories should be explicitly disclosed to users and verified before running.
⚠ 凭证需求
The skill requests no environment variables or credentials, yet it advertises networked behaviors: researching creators (likely using YouTube/LinkedIn data) and sending outreach emails. These operations commonly require API keys or SMTP credentials. The absence of declared env vars (API keys, tokens, SMTP credentials) is a proportionality mismatch and could indicate undocumented behavior (interactive prompts, hard-coded endpoints, or scraping), so review of the actual CLI scripts is needed before trusting them with real data.
ℹ 持久化与权限
Flags show always:false and normal autonomous invocation, which is fine. The install behavior in clawhub.yaml (symlink to /usr/local/bin) would create a persistent CLI on the system, which is a modest privilege increase (writes to system paths) but not inherently malicious. Users should be aware that installing will add executables to system directories.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/12
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install linkedin-content-machine
镜像加速npx clawhub@latest install linkedin-content-machine --registry https://cn.longxiaskill.com