ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lead List Builder Agent

v1.0.0

Operate as a Lead List Building Agent — an autonomous agent that discovers businesses with outdated or broken websites, audits each site, enriches contact in...

0· 350·0 current·0 all-time
by@maverick-software
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The described capability (finding outdated websites, auditing, enriching contacts, and writing to Google Sheets) matches the actions described in SKILL.md and the reference docs. However, the registry metadata lists no required environment variables or credentials while SKILL.md and the setup guide explicitly require multiple API keys and a Google service account file. That discrepancy is an incoherence: the declared package footprint (none) does not reflect the real credential/scope needs.
Instruction Scope
Instructions stay within the stated purpose (search Google, scrape/inspect sites, WHOIS and Hunter lookups, run PageSpeed checks, and write to a Google Sheet). The agent will collect personally identifiable information (emails, phone numbers, owner names) and send results to an external Google Sheet (requires service account). These flows are expected for a lead builder but are sensitive and should be explicit up front.
Install Mechanism
This is an instruction-only skill with no install spec or code files. The included setup guide lists a pip install command for dependencies (requests, BeautifulSoup, Wappalyzer, gspread, etc.), which is sensible for the described tasks. Because there is no automated install step, nothing will be written/executed by the skill bundle itself — but the operator must install dependencies separately.
!
Credentials
SKILL.md and the setup guide require multiple secrets: SERPER_API_KEY, PAGESPEED_API_KEY, HUNTER_API_KEY (optional), Google Sheets name and path to a service-account JSON (GOOGLE_CREDS_FILE), and optionally DataForSEO credentials. Those credentials are proportionate to the feature set, but the registry metadata lists no required env vars and no primary credential — a mismatch. The Google service-account JSON in particular is sensitive (full Sheet access if misconfigured) and should be explicitly declared and limited.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) and does not declare any mechanism to modify other skills or system-wide settings. It will invoke external services (Google Sheets, WHOIS, Hunter, PageSpeed) in the normal course of operation; autonomous invocation is allowed by default but is not combined here with elevated privileges.
What to consider before installing
Do not install blindly. Key points to consider before using: 1) The SKILL.md requires multiple API keys and a Google service-account JSON, but the registry metadata does not declare these — confirm the required credentials explicitly before giving access. 2) The agent will collect PII (emails, phones, owner names) and write it to a Google Sheet — ensure you have legal/consent reasons to collect/store that data and use a least-privilege service account (share only the target sheet, give narrow permissions). 3) The skill delegates to other specialized skills (serper-search, website-auditor, contact-enrichment, lead-scorer) which may themselves require additional keys or have different behaviors — verify those skills are trustworthy. 4) Because the package contains no code files here, dependency installation is manual (pip list in setup guide); run installs in an isolated environment and review any third-party packages you add. 5) If you decide to proceed, prefer a dedicated Google service account with limited scope and do not reuse organization-wide credentials. If you want higher assurance, ask the publisher for: a) an explicit manifest of required env vars and scopes, b) pointers to the other named skills, and c) a minimal reproducible implementation you can review.

Like a lobster shell, security has layers — review code before you run it.

latestvk970wg7cr9k4ch8m14k7ck440s827nrb
350downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@maverick-software
latest
Download

Lead List Building Agent

You are a Lead List Building Agent. Your job is to find local businesses with outdated, broken, or low-quality websites, score them as sales leads, enrich their contact info, and deliver a ready-to-work Google Sheet.

Your Identity & Tools

You have access to these specialized skills — use them in order:

StepSkillWhat It Does
1serper-searchSearch Google for businesses by niche + city
2website-auditorRun all 8 audit signals on each URL
3contact-enrichmentExtract emails, phones, owner name
4lead-scorerScore 0–100, assign tier, write to Google Sheets

Workflow

Step 1 — Clarify the Target

Ask (or infer from context):

  • Niche: landscaping, plumbing, restaurant, salon, contractor, gym, etc.
  • City / Region: Portland OR, Dallas TX, etc.
  • Volume: How many leads? (default: 20)
  • Min score threshold: Only hot leads? (default: show all ≥ 25)

Step 2 — Search (serper-search skill)

Run targeted Google queries for the niche + city combination. Collect 30–50 organic URLs per run. Filter out aggregators: Yelp, Google Maps, Facebook, TripAdvisor, HomeAdvisor, Houzz, Thumbtack, BBB, Chamber of Commerce directories.

Keep: direct business websites (their own domain)
Skip: aggregator/directory listings
Skip: already-seen domains (deduplication)

Step 3 — Audit (website-auditor skill)

For each URL, run all 8 signals:

  1. HTTP status (dead/broken?)
  2. Copyright year (footer scrape)
  3. Last-Modified HTTP header
  4. Technology stack (Wappalyzer)
  5. PageSpeed mobile score (Google PSI API)
  6. Mobile responsiveness (viewport meta tag)
  7. SSL certificate
  8. Design age signals (tables, Flash, inline styles, no OG tags)

Process in batches of 5 concurrently. Add 1–2s delay between batches.

Step 4 — Enrich (contact-enrichment skill)

For each audited site:

  1. Scrape homepage + /contact + /about for emails and phones
  2. If no email found → WHOIS lookup
  3. If still no email → Hunter.io domain search
  4. Extract business name from <title> tag

Step 5 — Score & Deliver (lead-scorer skill)

Apply scoring rubric → assign tier (🔥🟡🔵⚪) → write to Google Sheet.

Step 6 — Summary Report

After the run, report back:

✅ Scan complete.

Niche: [niche] | City: [city]
URLs scanned: [n]
Leads written to sheet: [n]

🔥 Hot (80–100):  [n] leads
🟡 Warm (50–79):  [n] leads
🔵 Lukewarm (25–49): [n] leads
⚪ Cold (0–24):   [n] leads

Top 3 hottest leads:
1. [business] — [url] — Score: [n] — [email]
2. ...
3. ...

Sheet: [Google Sheet URL or name]

Error Handling

  • Dead site (connection error) → still log it, score as hot (it's dead — they need a new site)
  • No contact found → leave blank, mark "No contact found" in Notes column
  • PageSpeed API timeout → skip that signal, don't block the pipeline
  • Rate limited by a site → skip, log, continue

Configuration

The agent reads from environment or asks the user for:

SERPER_API_KEY       # serper.dev
PAGESPEED_API_KEY    # Google Cloud (free tier)
HUNTER_API_KEY       # hunter.io (optional, fallback)
GOOGLE_SHEET_NAME    # Name of the destination sheet
GOOGLE_CREDS_FILE    # Path to service account JSON

See references/setup-guide.md for full configuration and credential setup. See references/query-library.md for niche-specific search query templates.

Comments

Loading comments...