ClawHub

lead-contact-enrichment-agent

Security checks across malware telemetry and agentic risk

Overview

This skill largely does lead enrichment as advertised, but it needs review because it handles personal contact data and has under-scoped execution, storage, and consent risks.

Install only if you trust the publisher and are comfortable sending lead lists, contact details, company records, and some request metadata to Explorium. Prefer an environment variable or secret manager for the API key, avoid --call-reasoning unless the user explicitly agrees, verify the CLI path before running, and delete /tmp/agentsource_*.json files after enrichment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands, reads and writes local files, accesses environment variables, and makes remote API calls, yet declares no permissions. This undermines informed consent and platform policy enforcement because users and reviewers cannot accurately assess what capabilities the skill will exercise before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The manifest presents the skill as a data enrichment tool, but the documented behavior expands into broader prospecting, market intelligence, filter search, trigger retrieval, and matching workflows. This mismatch can cause users to authorize or provide data for a narrower purpose while the skill is capable of materially broader collection and external transmission.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The workflow includes broad company intelligence and monitoring features beyond ordinary lead/contact enrichment, such as workforce trends, website intelligence, LinkedIn activity, and corporate hierarchy analysis. Scope expansion increases the chance of unintended data use and makes the skill more privacy-sensitive than its manifest suggests.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The available enrichment list includes strategic, competitive, and public-company intelligence features that exceed the stated scope of simply appending missing CRM/contact data. Users may unknowingly invoke broader research capabilities that change the sensitivity and compliance profile of the skill.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill exposes broad search and prospecting capabilities such as autocomplete, statistics, fetch, events, and business/prospect matching in addition to simple lead/contact enrichment. That materially expands what data can be queried and exported, increasing the privacy/compliance and data-exfiltration surface beyond what the skill description suggests.

Description-Behavior Mismatch

Low
Confidence
94% confidence
Finding
The code can include --call-reasoning user query text in request_context sent to api.explorium.ai, but the manifest does not disclose this behavior. Even though the comment says this is opt-in, it still creates an undocumented outbound channel for potentially sensitive natural-language user input.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Several trigger phrases are generic, such as 'add data to', 'fill in missing', and 'get more data on', making accidental invocation more likely during ordinary conversation. Broad triggers can activate a networked data-transfer workflow without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states in metadata that search filters, entity IDs, and request metadata are sent to a remote API, but the operational workflow does not clearly surface this warning at the point where users provide contact, company, or CSV data. That weakens informed consent for transmitting potentially sensitive business contact data to a third party.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The tool writes all API results to predictable files under /tmp, which commonly has broad local read access and is shared across processes/users depending on system configuration. Because returned data may include emails, phone numbers, firmographics, and other sensitive B2B contact data, this creates avoidable local data exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The config command persists the API key to disk in ~/.agentsource/config.json without a clear user-facing warning at the time of storage. Although file mode 600 is better than default permissions, silently persisting credentials increases the risk of unintended long-term secret exposure on a compromised host or shared environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The example workflow exports an enriched CSV containing personal and professional contact data, including emails, phone numbers, and LinkedIn URLs, without any explicit privacy notice, consent check, retention guidance, or warning about handling sensitive personal data. In a lead-enrichment skill, this omission can normalize bulk collection and redistribution of personal data in ways that may violate organizational policy or privacy regulations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example explicitly demonstrates lookup and disclosure of a named person's email, phone number, and profile details without any warning about consent, lawful basis, or acceptable-use constraints. In a lead-enrichment skill, this can normalize collection and sharing of personal contact data in ways that create privacy, compliance, and misuse risk, especially when examples include direct identifiers and seemingly real output.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly supports enrichment of prospects with professional email, personal email, direct phone, and mobile phone, but the reference provides no privacy, consent, lawful-basis, or acceptable-use guidance. In a lead enrichment/CRM workflow, this increases the likelihood of collecting and using personal contact data in ways that violate privacy expectations, internal policy, or applicable regulations.

Ssd 3

Medium
Confidence
95% confidence
Finding
The optional request_context attaches free-form user query text to API calls, creating a direct path for sensitive prompts, customer data, or internal business intent to be sent to a third party. In an agent setting, this is especially risky because upstream components may automatically populate reasoning text without the end user understanding it will leave the local environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal