lfg
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for running a lead-generation CLI, but users should verify the external package and manage API keys and generated contact data carefully.
Before installing, verify the Lead Gen Factory repository and prefer an isolated install. Use dedicated API keys for Tavily and OpenRouter, avoid submitting confidential ICPs unless provider data handling is acceptable, and review generated lead CSVs or saved profiles for privacy and compliance concerns.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives third-party code access to the local environment where it runs.
The skill tells the user to install an external GitHub-hosted CLI that is not included in the reviewed artifact set and is not pinned to a specific commit or version.
pipx install git+https://github.com/Catafal/lead-gen-factory.git
Verify the GitHub repository, pin a trusted version or commit where possible, and install in an isolated environment such as pipx or a virtual environment.
The installed CLI can use the user’s Tavily and OpenRouter accounts, which may expose usage history or incur provider costs.
The skill requires provider API keys stored in a local config file, while the registry metadata lists no required credentials or environment variables.
Required API keys (set in `~/.lgf/.env`): - `TAVILY_API_KEY` — web search - `OPENROUTER_API_KEY` — LLM scoring + extraction
Use dedicated, least-privilege API keys if available, monitor provider usage, and avoid placing unrelated secrets in the same config file.
The user’s ICP query and potentially extracted lead information may be processed by external services.
The workflow depends on external search and LLM providers to perform lead research, extraction, and scoring.
`TAVILY_API_KEY` — web search `OPENROUTER_API_KEY` — LLM scoring + extraction
Do not submit confidential target profiles or proprietary sales strategy unless the provider terms and data handling practices are acceptable.
The agent may run local commands and create or read files as part of the lead-generation workflow.
The skill exposes shell execution and file read/write tools so the agent can run the CLI, read ICP files, and handle JSON or CSV outputs.
allowed-tools: - Bash - Read - Write
Keep use limited to explicit lead-research requests, review commands before first installation, and store generated lead files in an appropriate location.
Saved ICP profiles could be reused in later tasks and may reveal business strategy if stored on a shared machine.
The CLI can persist ICP profiles for later reuse, which may preserve target-market assumptions or sales strategy.
| `lgf profile add <name>` | Save current ICP as a named profile |
Only save profiles intentionally, avoid saving confidential ICP details on shared systems, and periodically review or remove saved profiles.