HeyLead
Security checks across static analysis, malware telemetry, and agentic risk
Overview
HeyLead is a coherent LinkedIn sales automation skill, but it asks to run an external MCP package with LinkedIn account access and can autonomously send messages, post, engage, and run a 24/7 scheduler.
Treat this as a high-trust integration. Before installing, inspect and pin the external `heylead` package, understand the LinkedIn and Google permissions requested, start in Copilot mode, keep the cloud scheduler off until you are comfortable, and verify where contacts, messages, tokens, and campaign data are stored.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could send outreach, replies, endorsements, reactions, or public posts from the user's LinkedIn identity if enabled or invoked incorrectly.
These tools can mutate a user's LinkedIn account, contact other people, and publish public content. The behavior is aligned with the sales purpose, but the artifacts do not clearly define approval gates, scope limits, or reversibility for these high-impact actions.
`generate_and_send` | Send personalized connection invitations ... `reply_to_prospect` | Auto-reply ... `engage_prospect` | Comment, react, follow, or endorse prospects ... `create_post` | Generate and publish LinkedIn posts
Use Copilot/review mode unless you fully trust the tool, start with a limited campaign, verify each message before sending, and confirm LinkedIn account and campaign limits.
A compromised or over-permissive integration could act through the user's LinkedIn account and affect their professional identity and contacts.
The skill requires delegated Google/LinkedIn account access and token handling, but the registry metadata lists no primary credential and the artifacts do not clearly describe token scope, storage, expiry, or revocation.
authenticate with Google, connect LinkedIn, copy your token, and paste it back
Before connecting accounts, review the requested permissions, use the least-privileged account possible, understand how to revoke access, and avoid pasting tokens unless you trust the external MCP server.
The actual code that receives credentials and controls outreach is not visible in the supplied artifact set and may change if the package resolves to a newer release.
The skill runs an external package as an MCP server, but the supplied review artifacts contain no runnable code and do not pin a package version. This matters because the external package would handle account tokens and perform LinkedIn account actions.
"command": "uvx", "args": ["heylead"]
Inspect the PyPI/GitHub package before installing, pin the exact package version, and avoid granting account access until the executable code is reviewed.
Local campaign data may include private contacts, message contents, and lead status that should be protected and cleaned up when no longer needed.
The skill persistently stores LinkedIn contacts and message history locally, which is expected for campaign tracking but involves sensitive relationship and conversation data.
Contacts and messages stored in local SQLite database
Find where the SQLite database is stored, back it up or delete it according to your retention needs, and avoid using the skill on shared machines.
Prospect details or draft/message context may be processed outside the local machine depending on configuration.
The skill discloses that AI processing can be routed through an external backend/provider. This is purpose-aligned, but users should understand what LinkedIn profile, prospect, and message data may be sent for generation or analysis.
AI calls routed through HeyLead backend (Gemini 2.0 Flash) or your own key
Review HeyLead's privacy terms and configuration, prefer your own key or local controls where available, and avoid sending sensitive conversations unless necessary.
Outreach could continue after initial setup, potentially contacting prospects or replying while the user is not actively supervising.
The skill can create persistent autonomous activity that continues outreach over time. Although disclosed and accompanied by pause/emergency-stop tools, the artifacts do not fully define containment, default limits, or monitoring requirements.
Autonomous Scheduling — 24/7 cloud scheduler for invitations, follow-ups, and reply checks
Keep the scheduler disabled until campaigns are reviewed, monitor scheduler status regularly, and confirm that `emergency_stop` works before relying on Autopilot.