ClawHub
Back to skill

Security audit

03 Lead Enrichment Scanner

Security checks across malware telemetry and agentic risk

Overview

This lead-enrichment skill is not clearly malicious, but it needs review because it handles prospect data, sends data and API credentials to external services, and overstates what it can verify.

Install only after reviewing the code and docs. Treat generated emails, LinkedIn/profile claims, and decision-maker data as unverified guesses; avoid providing LinkedIn cookies or session tokens; set LLM_BASE_URL only to a trusted HTTPS endpoint; and make sure your use of contact data and outreach complies with privacy and anti-spam rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tainted flow: 'req' from os.environ.get (line 209, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
if robots_url in ROBOTS_TXT_CACHE:
            return ROBOTS_TXT_CACHE[robots_url]
        req = urllib.request.Request(robots_url, headers={"User-Agent": user_agent})
        with urllib.request.urlopen(req, timeout=5) as r:
            content = r.read().decode("utf-8", errors="replace")
        path = parsed.path or "/"
        disallowed = False
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=5) as r:

Tainted flow: 'req' from os.environ.get (line 209, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
time.sleep(rl)
    try:
        req = urllib.request.Request(url, headers={"User-Agent": USER_AGENT})
        with urllib.request.urlopen(req, timeout=timeout) as r:
            return r.read().decode("utf-8", errors="replace")
    except Exception as e:
        return None  # caller logs
Confidence
84% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as r:

Tainted flow: 'req' from os.environ.get (line 209, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"User-Agent": USER_AGENT,
            }
        )
        with urllib.request.urlopen(req, timeout=30) as r:
            result = json.loads(r.read())
            return result["choices"][0]["message"]["content"].strip()
    except urllib.error.HTTPError as e:
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as r:

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises operational behaviors that imply network access, environment-variable use, and local file writes, but no permissions are declared. This creates a transparency and consent problem: users and the hosting platform cannot accurately assess or gate what the skill can access before execution, increasing the risk of unintended data access or exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior materially overstates what the skill appears to do, including claims about identifying decision-makers, returning LinkedIn profiles, and producing enriched contact emails when the output may instead be guessed patterns and generic links. In a lead-enrichment context, this can mislead users into trusting inaccurate personal-data processing, triggering privacy, compliance, and business-decision risks.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Overly broad activation phrases can cause the skill to trigger for generic sales or contact-management requests where the user did not intend web scraping, enrichment, or outreach generation. In this context, mistaken activation is more dangerous because the skill handles personal/contact data and may prompt collection or use of cookies and external lookups.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The usage conditions define many broad business scenarios but do not state when the skill should not activate or when user confirmation is required. That increases the chance of unintended processing of company lists, personal data, or outreach content generation in contexts where the user only wanted advice or analysis.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill mentions optional use of user-provided LinkedIn cookies and handling of contact data, but it does not prominently warn about the sensitivity of credentials/session tokens or the privacy implications of processing personal information. In this context, omission of those warnings can lead users to expose account-access artifacts or process personal data without informed consent or adequate compliance controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The marketing copy promotes generating decision-maker names, email patterns, LinkedIn profiles, and outreach drafts, but it does not warn users about privacy, consent, anti-spam, or jurisdiction-specific legal restrictions for personal data processing and outbound contact. In a lead-enrichment skill, this omission can normalize non-compliant prospecting and increase the likelihood that users process personal data or send outreach in ways that violate GDPR, CAN-SPAM, or similar rules.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends scraped company descriptions and related metadata to an external LLM service without clear user-facing disclosure or consent at the command surface. In a lead-enrichment context, this broadens third-party data exposure and may violate user expectations, internal policy, or contractual restrictions even if the data is nominally business-related.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Lead records are sent to an external LLM to generate outreach drafts without a clear warning or consent mechanism. Because these records may contain names, titles, emails, and company context, the hidden transfer creates avoidable privacy and compliance risk in a tool specifically intended for prospecting.

External Transmission

Medium
Category
Data Exfiltration
Content
)
            LLM_API_KEY_MISSING_WARNED = True
        return None
    base_url = os.environ.get("LLM_BASE_URL", "https://api.minimax.chat/v1")
    try:
        data = json.dumps({
            "model": model,
Confidence
88% confidence
Finding
https://api.minimax.chat/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal