Security Audit

unipile-linkedin

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

unipile-linkedin received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 2 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Suspicious Dependency Version (Typosquatting/Malicious Package).

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

93%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Shell Execution

2 findings

Security Findings3

Severity	Finding	Layer	Location
CRITICAL	Suspicious Dependency Version (Typosquatting/Malicious Package) The `dotenv` package is listed with version `17.2.4` in `package.json` and `package-lock.json`. The legitimate `dotenv` package on npmjs.com is currently at version `16.x.x`. Version `17.2.4` is highly suspicious and likely indicates a typosquatting attempt or a malicious package. Using such a package could lead to arbitrary code execution, data exfiltration, or other severe security breaches. Replace `"dotenv": "^17.2.4"` with the latest legitimate version, e.g., `"dotenv": "^16.4.5"` (or the exact pinned version `"dotenv": "16.4.5"`). Verify the integrity of the installed package after correction. Also, update `package-lock.json` accordingly.	LLM	package.json:5
CRITICAL	Suspicious Dependency Version (Typosquatting/Malicious Package) The `dotenv` package is listed with version `17.2.4` in `package-lock.json`. The legitimate `dotenv` package on npmjs.com is currently at version `16.x.x`. Version `17.2.4` is highly suspicious and likely indicates a typosquatting attempt or a malicious package. Using such a package could lead to arbitrary code execution, data exfiltration, or other severe security breaches. Replace `"dotenv": "17.2.4"` with the latest legitimate version, e.g., `"dotenv": "16.4.5"`. Verify the integrity of the installed package after correction. Also, update `package.json` accordingly.	LLM	package-lock.json:50
MEDIUM	Unpinned npm dependency version Dependency 'dotenv' is not pinned to an exact version ('^17.2.4'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/sudhanshu746/unipile-linkedin/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/c28763e8990d574f.svg)](https://skillshield.io/report/c28763e8990d574f)