Lead Generation
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for lead generation, with disclosed use of Xpoz/MCP, OAuth setup, and local saved lead data, but users should review those integrations before installing.
This looks acceptable if you trust Xpoz, mcporter, and the xpoz-setup skill. Expect to authorize an Xpoz account, send product/search terms to Xpoz, and store local lead-generation files. Review outreach drafts manually, keep disclosures truthful, and clear saved data if it becomes sensitive or outdated.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
54/54 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may add and run an external command-line tool on the user's machine.
The skill installs an external npm CLI that is central to the Xpoz MCP workflow. This is expected for the purpose, but the provided artifacts do not pin a version or show package provenance.
node | package: mcporter | creates binaries: mcporter
Install only if you trust the mcporter package and Xpoz ecosystem; verify package provenance or pin versions where possible.
The agent can use the configured Xpoz account to run the lead-search calls described by the skill.
The skill uses delegated Xpoz account authentication. This is purpose-aligned for accessing the provider, but users should notice that account authorization is part of setup.
"credentials": "Xpoz account (free tier) — auth via xpoz-setup skill (OAuth 2.1)"
Authorize only an account you are comfortable using for this purpose, review Xpoz permissions, and revoke access if you stop using the skill.
Product positioning, target-audience terms, and search queries may be shared with the Xpoz service.
Generated product and lead-search queries are sent through mcporter to the Xpoz MCP service. This external provider flow is disclosed and central to the skill's purpose.
mcporter call xpoz.getTwitterPostsByKeywords query="GENERATED_QUERY" startDate="DATE"
Avoid putting confidential product plans or sensitive customer details into queries unless you are comfortable sharing them with Xpoz.
Past product details and lead history may persist locally and be reused in later lead searches.
The skill stores reusable product profiles, search queries, and lead deduplication state. This is bounded to the lead-generation workflow but can influence future runs.
Save to `data/lead-generation/product-profile.json` and `search-queries.json`... Deduplicate via `data/lead-generation/sent-leads.json`
Review or delete the data/lead-generation files when product details change or if they contain sensitive information.