Lead Gen Website Builder (SEO PUR)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for building lead-generation websites, but its page generator can write outside the intended folder and its contact-form template may mislead users about privacy/compliance readiness.
Review before using in production. Patch the page generator so filenames cannot escape the intended output directory, do not run it on untrusted JSON, and replace the contact-form placeholder with a secure backend and real RGPD/GDPR consent controls before deploying a lead-capture website.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs this script on untrusted or poorly reviewed page data, it could overwrite files outside the intended pages folder within the agent's filesystem permissions.
The script takes filenames from the JSON page data and writes them directly under the output path without normalizing or rejecting '../' or absolute paths.
filename = page.get('filename', f"{page.get('component_name', 'Page')}.tsx")
output_file = output_path / filename
...
with open(output_file, 'w', encoding='utf-8') as f:Restrict generated filenames to safe basenames, reject absolute paths and '..', confirm overwrites, and verify the final resolved path remains inside the intended output directory.
A user could deploy the generated site believing lead capture and RGPD/GDPR handling are production-ready, while visitor contact details are not actually submitted securely and may be mishandled.
The template logs personal lead data in the browser and displays a successful-send message even though no secure submission or consent handling is implemented in this component.
console.log("Form submitted:", formData);
toast.success("Message envoyé ! Nous vous recontacterons rapidement.");Mark the form as a placeholder until wired to a secure backend, remove PII console logging, add a clear consent checkbox and privacy-policy link, and only claim RGPD/GDPR compliance after implementing the required controls.
This is expected for a website-building skill, but users need to know that local tools and scripts will be run in their environment.
The skill relies on local helper commands and Python scripts even though the registry declares no install specification or required binaries.
webdev_init_project <project-name> ... python /home/ubuntu/skills/lead-gen-website/scripts/generate_pages_batch.py service-template.tsx services-data.json client/src/pages/
Document the expected runtime tools in metadata or setup notes, and run only the reviewed bundled scripts from trusted paths.