Back to skill

Security audit

Lead Generation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed lead-generation workflow that uses Xpoz and local lead files as expected, with privacy and dependency risks users should understand.

Install only if you trust Xpoz, the xpoz-setup OAuth flow, and the mcporter npm package. Avoid using confidential product plans or sensitive customer data in generated queries, periodically review or delete data/lead-generation files, and manually review all outreach drafts before sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly stores discovered lead records in local files, including prospect identifiers and social-post metadata, but does not warn the user that potentially sensitive personal data will persist on disk. In a lead-generation context, this can create privacy, retention, and accidental disclosure risks, especially on shared machines or when the workspace is later synced, backed up, or committed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs the agent to send generated queries and product-research-derived data to an external service (Xpoz via mcporter) across multiple social platforms, but it does not clearly warn the user that this information leaves the local environment. Because the product reference may include unreleased business context, targeting criteria, or sensitive strategy, silent transmission to a third party creates confidentiality and compliance concerns.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.