Lead Radar — 9 Platforms Scanned Daily for Warm Leads

Security checks across malware telemetry and agentic risk

Overview

Lead Radar appears to do what it advertises, with disclosed daily scanning, Gemini scoring, and Telegram delivery, though users should understand the external data flows.

Install only if you are comfortable with a daily background job that contacts multiple public platforms, the publisher's license backend, Google Gemini, and Telegram. Use a dedicated Telegram bot token, avoid confidential business secrets in OFFER_DESCRIPTION, review drafted replies before sending them, and be aware that the skill keeps a small local seen-posts database for deduplication.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill declares no permissions while requiring environment access and extensive network access. That omission weakens informed consent and platform-level policy enforcement, because users are not explicitly warned that secrets from the environment and outbound connections to multiple third parties will be used. In this context the risk is elevated because the skill handles sensitive values such as a Telegram bot token and license key and transmits user-supplied business data to external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose understates materially important behavior: remote license validation, retrieval of a vendor-controlled Gemini API key, unsolicited Telegram status/error messaging, and persistent local SQLite storage. Hidden or under-disclosed behaviors are dangerous because they expand the trust boundary beyond what users reasonably expect, enabling external control over AI-service access, additional data flows, and durable local retention that may expose operational history or business intelligence. The skill context makes this more dangerous because it is a marketing automation tool that processes user offer descriptions and scraped lead content, so undisclosed third-party handling and local persistence directly affect privacy, compliance, and trust.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The cron job contacts a licensing service and then injects a server-provided Gemini API key into the runtime environment, giving the skill hidden third-party capability that is not necessary for basic source scanning. This creates a supply-chain and secret-control risk: the remote licensor can change model access, monitor usage, or influence downstream data flows without the operator explicitly managing that credential.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The user's OFFER_DESCRIPTION is fed into keyword extraction and later intent scoring via Gemini, which means potentially sensitive business strategy, ICP, or sales copy is transmitted to an external AI service. In this skill context, that data sharing is related to functionality, but the lack of explicit notice and consent makes it a real privacy and data-governance issue.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This code sends offer descriptions and social-media post content to the external Gemini API, which is a real data-sharing/privacy risk if users are not clearly informed and have not consented. In this skill context, transmitting third-party post text is core functionality, but that does not remove the need for explicit disclosure, data-minimization, and provider trust boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal