Ai Lead Generator Skill

ReviewAudited by ClawScan on May 10, 2026.

Overview

This skill advertises validated Apollo/LinkedIn lead generation, but the included code only creates simulated sample leads, so users should review it before relying on it.

Review this skill carefully before installing or using it. The provided code appears to generate local CSV files with fake/sample leads, not validated Apollo or LinkedIn contacts. Do not provide LinkedIn, Apollo, or CRM credentials unless a future version clearly documents official authorization, scopes, and data handling.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI09: Human-Agent Trust Exploitation

What this means

Users may believe they are receiving validated real leads when the output is actually fabricated sample contact data.

Why it was flagged

The code explicitly says it only returns sample data, which conflicts with the skill description claiming AI-powered research, Apollo/LinkedIn integration, email validation, and qualified contacts.

Skill content

// Simulated lead generation (in real implementation, would use Apollo/LinkedIn APIs)
// For demo purposes, return sample data

Recommendation

Do not rely on this skill for production lead generation unless the author updates the documentation and implementation to accurately disclose what data is real, validated, and sourced from authorized integrations.

Low

#ASI03: Identity and Privilege Abuse

What this means

If future use of this skill asks for LinkedIn or Apollo access, users would need to understand what permissions are being granted.

Why it was flagged

The documentation references external account integrations, but the registry metadata declares no primary credential or required environment variables, and the included code does not show a bounded credential flow.

Skill content

- Apollo.io account (optional, improves data quality)
- LinkedIn account (for advanced targeting)

Recommendation

Only provide account access through official scoped OAuth or API keys, avoid sharing passwords or cookies, and verify that requested permissions match the lead-generation task.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Dependency changes could affect what code runs if the package is installed through npm tooling.

Why it was flagged

The package lists npm dependencies with caret version ranges and no lockfile is present in the provided manifest. This is common, but it means installed dependency versions may vary.

Skill content

"dependencies": {
  "csv-writer": "^1.6.0",
  "axios": "^1.6.0"
}

Recommendation

Install from a trusted registry/source and prefer pinned or lockfile-controlled dependency versions for production use.