Ai Lead Generator Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ai-lead-generator-skill Version: 1.0.0 The skill bundle is classified as benign. The `ai-lead-generator.js` script is a simulation that generates sample lead data and exports it to a CSV file in the current directory. It does not perform any actual network requests (despite `axios` being a dependency) and does not access sensitive files or environment variables. There are no signs of prompt injection in `SKILL.md`, no malicious execution, data exfiltration, or persistence mechanisms. The file writing operation uses a safely constructed filename, preventing path traversal or command injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may believe they are receiving validated real leads when the output is actually fabricated sample contact data.
The code explicitly says it only returns sample data, which conflicts with the skill description claiming AI-powered research, Apollo/LinkedIn integration, email validation, and qualified contacts.
// Simulated lead generation (in real implementation, would use Apollo/LinkedIn APIs) // For demo purposes, return sample data
Do not rely on this skill for production lead generation unless the author updates the documentation and implementation to accurately disclose what data is real, validated, and sourced from authorized integrations.
If future use of this skill asks for LinkedIn or Apollo access, users would need to understand what permissions are being granted.
The documentation references external account integrations, but the registry metadata declares no primary credential or required environment variables, and the included code does not show a bounded credential flow.
- Apollo.io account (optional, improves data quality) - LinkedIn account (for advanced targeting)
Only provide account access through official scoped OAuth or API keys, avoid sharing passwords or cookies, and verify that requested permissions match the lead-generation task.
Dependency changes could affect what code runs if the package is installed through npm tooling.
The package lists npm dependencies with caret version ranges and no lockfile is present in the provided manifest. This is common, but it means installed dependency versions may vary.
"dependencies": {
"csv-writer": "^1.6.0",
"axios": "^1.6.0"
}Install from a trusted registry/source and prefer pinned or lockfile-controlled dependency versions for production use.