How to Build a Secure OpenClaw LinkedIn Skill (Avoid Malicious Scripts)

Source: Dev.to

Stop Trusting Random Scripts 🛑

We’ve all been there. You want your AI agent to do something cool—like post to LinkedIn or check your emails—so you search the public registry (ClawHub, etc.) and install the first skill you find.

Big mistake.
Public AI skills are just code running on your machine. If you install a malicious one, you’re handing over the keys to your kingdom. Reports have shown “hacker scripts” deleting data or stealing API keys.

Solution: Build it yourself.
If you can ask an AI to write code, you can build a custom, secure skill in minutes.

In this guide, you’ll learn how to build a LinkedIn Auto‑Poster Skill for OpenClaw from scratch, moving from a manual “recipe” to a fully automated Python tool.

The “Recipe” vs. The “Tool” 🍳 vs 🤖

Recipe (Cookbook)

Your SKILL.md contains raw code (e.g., complex curl commands) that the AI must copy, paste, and fill in each time.

• Problem: Fragile. A missing quote or bracket breaks the skill. Complex tasks (like uploading video) require multiple manual steps.

Tool (Instruction Manual)

SKILL.md becomes a simple instruction, while the heavy lifting moves into a robust script (e.g., linkedin.py).

• Logic lives in the script.
• Instruction in SKILL.md is minimal: “To post, run python linkedin.py 'Hello World'.”

The AI only triggers the script, saving tokens, reducing errors, and increasing reliability.

Step 1: The Setup (LinkedIn Side) 💼

1. Go to LinkedIn Developers.
2. Create an App – name it “My Personal Bot.”
   • Tip: If it asks for a “Company Page,” create a dummy one; it takes seconds.
3. Get your keys from the Auth tab: Client ID and Client Secret.

⚠️ The 60‑Day Gotcha:
LinkedIn tokens expire every 60 days. Refresh the token manually every two months—this is a security feature.

Step 2: The Script (The Magic Sauce) 🪄

The Old Way (The “Curl” Mess)

Uploading a video required four separate commands:

1. POST /assets?action=registerUpload – get an upload URL.
2. PUT – send the video bytes.
3. POST /ugcPosts – publish the post.
4. Manual error handling for each step.

The New Way (Python)

All the complexity is wrapped in a single function inside linkedin.py:

import requests

def create_post(token, text, video_path=None):
    # 1. Handle Video (if exists)
    asset_urn = None
    if video_path:
        print(f"Uploading video: {video_path}...")
        # The script handles registration & byte upload automatically
        upload_url, asset_urn = register_upload(token, "video")
        upload_file(upload_url, video_path)

    # 2. Publish
    payload = {
        "author": person_urn,
        "specificContent": {
            "com.linkedin.ugc.ShareContent": {
                "shareCommentary": {"text": text},
                "media": [{"media": asset_urn}] if asset_urn else []
            }
        },
        "visibility": {"com.linkedin.ugc.MemberNetworkVisibility": "PUBLIC"}
    }
    requests.post(API_URL, json=payload, headers={"Authorization": f"Bearer {token}"})

Now the OpenClaw agent runs one command:

python3 skills/linkedin/linkedin.py "Check out my demo" --video demo.mp4

Zero friction. Zero hallucinations.

Final Thoughts

Building your own skills is the only way to be a “True AI Native.” You control the code, you control the data, and you sleep better knowing no random hacker script is running on your laptop.

Stay safe, build cool stuff.

Collaboratively built with Coke 🥤 (OpenClaw Assistant)