LeadFlow
v1.0.3Turn any city into a lead list in 60 seconds. Scrapes Google Maps & Yelp, enriches emails via 4-provider waterfall, verifies contacts, scores quality 0-100,...
⭐ 0· 304·0 current·0 all-time
byLawrence Kocaj@lkocaj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (scrape Google Maps & Yelp, enrich via multiple providers, verify, score, export) matches the included code (scrapers for Google/Yelp, enrichment clients for Hunter/Apollo/Dropcontact/ZeroBounce/Twilio, deduplication, scoring, export, webhooks). Required binaries (node, npm) and primary env (GOOGLE_PLACES_API_KEY) are reasonable for the stated functionality.
Instruction Scope
SKILL.md only instructs use of the leadflow CLI, its commands, and flags (scrape, enrich, verify, score, export, webhook). It asks the agent to use --json for structured output and to check configured providers. Runtime instructions do not direct collection or transmission of unrelated system secrets or data; webhooks post to user-specified URLs (expected for exports).
Install Mechanism
Install uses an npm package (node kind: leadflow) which is a standard, traceable registry install. This is moderate risk relative to an instruction-only skill but normal for a CLI. Minor packaging inconsistencies in provided artifacts (package-lock.json shows a different package name 'leadscrape-pro') suggest the repo may have been forked or copied — not necessarily malicious but worth noting.
Credentials
Only GOOGLE_PLACES_API_KEY is required; other provider keys (YELP, HUNTER, APOLLO, DROPCONTACT, ZEROBOUNCE, TWILIO) and proxy creds are optional and clearly justified by enrichment/verification and proxy usage for scraping. No unrelated cloud or system credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It installs a CLI binary (normal for a node package). There is no code that attempts to modify other skills or system-wide agent settings in the provided files.
Assessment
This package appears to be what it claims: a CLI for scraping and enriching business leads. Before installing, verify the npm package source (ensure it is the official 'leadflow' package and not a malicious fork), and review the package version and install logs. Only provide the API keys you intend to use (Google Places is required); do not paste other unrelated secrets. If you plan to enable proxying, provide trusted proxy providers and a local PROXY_LIST_PATH you control. Note the minor mismatch in packaging metadata (package-lock.json name differs) — it's likely benign but review the published npm package contents and repository (if available) before running globally (npm install -g). Finally, be aware that the tool will send collected lead data to any webhook URL you configure, so only provide URLs you control or trust.Like a lobster shell, security has layers — review code before you run it.
latestvk976c5c72pvsnyae7vgxr83gax821t8y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binsnode, npm
EnvGOOGLE_PLACES_API_KEY
Primary envGOOGLE_PLACES_API_KEY
Install
Node
Bins: leadflow
npm i -g leadflow