Security audit

Lead Gen Operator

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for lead generation, but it stores prospect data and can send Gmail outreach with too little confirmation and scoping for a user-facing agent skill.

Install only if you are comfortable with a lead-generation assistant retaining prospect and outreach data locally and potentially sending real Gmail messages. Before using it, require preview-and-confirm behavior for every email, review where lead data is stored, keep backups before JSON overwrites, and avoid using it for unsolicited or high-volume outreach without compliance review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill exposes code-backed functionality through a Node CLI and appears to rely on environment-related capabilities, but the manifest does not declare any permissions or capability expectations. This is dangerous because users and hosting platforms cannot accurately assess what the skill can access, reducing transparency and increasing the chance of unintended access to local data or environment-provided secrets.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose presents a focused lead-generation assistant, but the referenced memory-manager behaves as a more general local persistence tool that can read, write, and export named data files. That mismatch is dangerous because it can cause users to trust and invoke the skill under false assumptions, while it performs broader data storage and manipulation operations than advertised.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs autonomous writes to persistent storage immediately after finding leads, without user confirmation or even notice. This creates unauthorized state changes and can store inaccurate, sensitive, or unwanted prospect data, especially when search results are noisy or user intent was only exploratory.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README states that leads are automatically saved, but it does not clearly warn users that potentially sensitive prospect data will be persisted to local storage. In a lead-generation tool, this can cause users to collect and retain personal or business contact data without understanding retention, consent, or cleanup implications, increasing privacy and compliance risk.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README advertises that the skill can send outreach emails directly via Gmail, but it does not clearly warn that this is an outbound action that may contact real third parties. In an autonomous agent context, this is risky because users may invoke the feature without realizing it can immediately transmit external communications, leading to spam, reputational harm, unintended disclosure, or abuse of connected mail accounts.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The phrase "Send to [company]" is broad enough to plausibly appear in ordinary operator-user dialogue, which can cause accidental invocation of an email-sending action. In a lead-gen skill that drafts and transmits outreach, this creates a real risk of unintended external communication, reputational harm, and data leakage to recipients.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide instructs users that the agent can send emails via Gmail but does not clearly warn that generated content will be transmitted to external parties. Because outreach text may include synthesized claims, internal context, or sensitive lead data, omission of a clear transmission warning increases the chance of unreviewed disclosure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill description highlights lead generation features but does not warn that prospect data and generated outreach content are persisted locally and can be exported. This creates a privacy risk because users may place personal or commercially sensitive contact data into the tool without understanding retention, export, or downstream handling.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The auto-save behavior performs silent persistence to leads.json with no warning that local state is being modified. Hidden writes are risky because users may not realize data is being retained across sessions, which can lead to privacy issues, bad records, and unintended downstream actions based on stored leads.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The email-sending flow instructs the agent to transmit outreach content and lead data via an external sending tool without an explicit confirmation or disclosure step. This can cause unintended external communications, reputational harm, data leakage, and possible policy or legal violations if messages are sent to the wrong recipients or without approval.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs users to overwrite memory JSON files using shell redirection and writeFileSync without any backup, merge, locking, or confirmation safeguards. In a lead-generation workflow where these files store persistent business data across sessions, this can cause irreversible data loss or corruption from mistakes, concurrent writes, or partial/incorrect JSON generation.

Session Persistence

Medium

Category: Rogue Agent
Content: - **Find leads** - Add companies with details (name, size, industry, funding) - **Auto-score** - Scores leads 0-100 based on funding stage, team size, industry - **Write outreach** - Generates personalized cold emails - **Track pipeline** - Status flows: new → enriched → drafted → sent → replied → closed - **Follow-ups** - Get recommendations on who to follow up with - **Export** - Export leads to CSV
Confidence: 78% confidence
Finding: Write outreach** - Generates personalized cold emails - **Track pipeline** - Status flows: new → enriched → drafted → sent → replied → closed - **Follow-ups** - Get recommendations on who to follow up

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.