Back to skill

Security audit

leadklick

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real lead-management skill, but it needs review because it requires a broad Supabase service-role key and can store, update, delete, and automate outreach for contact records.

Install only if you can isolate this workflow in a dedicated or tightly controlled Supabase project. Treat the service-role key like an admin secret, keep it server-side, rotate it if exposed, verify org isolation and RLS assumptions, review or remove the deleteLead capability, and confirm you have consent before storing contact details or triggering automated emails through Make.com/Resend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly describes capturing lead data from conversations, storing it in Supabase, and triggering Make.com/Resend-based automatic email workflows, but it does not clearly warn that user content and contact data will be transmitted to external services. In a lead-management skill handling personal data, this omission can cause unintended privacy, consent, and compliance issues because operators may deploy it without understanding the outbound data flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill handles lead contact data and explicitly states it will store data in Supabase and trigger Make.com webhooks for automated outbound email, but it does not present a clear upfront warning about third-party data sharing or automatic email actions. This creates a consent and transparency risk: users or operators may submit personal contact data without understanding it will be transmitted to external services and used for automated outreach.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "big-roman123",
  "license": "MIT",
  "dependencies": {
    "@supabase/supabase-js": "^2.39.0"
  },
  "devDependencies": {
    "typescript": "^5.3.0"
Confidence
90% confidence
Finding
"@supabase/supabase-js": "^2.39.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@supabase/supabase-js": "^2.39.0"
  },
  "devDependencies": {
    "typescript": "^5.3.0"
  }
}
Confidence
86% confidence
Finding
"typescript": "^5.3.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.