Leadgenius
Security checks across malware telemetry and agentic risk
Overview
The skill’s lead-enrichment purpose fits its CRM integrations, but it advertises large automatic CRM updates and privacy/compliance assurances without clear approval, scoping, rollback, or implementation evidence.
Install only if you are comfortable giving this skill access to lead-enrichment and CRM credentials. Use sandbox or least-privilege tokens, run a small test batch first, require a preview and explicit approval before any CRM sync or Slack/Sheets export, and do not rely on the GDPR/audit-log claim without separate documentation.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken run could bulk-create or update incorrect lead records, pollute CRM data, or trigger downstream sales and marketing workflows.
This describes high-volume automated writes to business systems. The visible artifact does not specify a required preview, explicit approval, field allowlist, batch limit, dry run, or rollback before modifying CRM data.
"CRM Sync": Automatically push enriched records and scores to Salesforce, HubSpot, Pipedrive, or your custom CRM via API ... "Batch Processing": Process 10,000+ leads in minutes
Require an explicit user approval step before any CRM write, show a diff and record count, default to small test batches or sandbox mode, and document rollback behavior.
Overly broad API keys could give the skill more access to CRM or enrichment-provider data than the user intends.
Credentials are expected for lead enrichment and CRM access, but the artifact does not describe the exact services, scopes, read/write permissions, or rotation expectations for these keys.
"env": ["LEADGENIUS_API_KEY", "CRM_API_KEY", "ENRICHMENT_SERVICE_KEY"]
Use least-privilege tokens, preferably for a sandbox or dedicated integration account, and avoid providing admin-wide CRM credentials unless absolutely necessary.
Users may trust the skill with regulated lead or CRM data based on privacy claims that are not verifiable from the reviewed artifacts.
The skill handles personal and business contact data, but the supplied artifacts include only SKILL.md and no implementation, policy, retention model, or audit-log mechanism substantiating this compliance assurance.
"Compliance & Privacy": GDPR-compliant data handling with audit logging for regulated industries
Treat the compliance claim as unverified until the publisher documents data flows, retention, subprocessors, audit logging, and GDPR/legal basis controls.
Lead data could be shared beyond the CRM into Slack channels, spreadsheets, or Zapier workflows if the user enables those integrations.
Sending reports or enriched lead data to collaboration and automation tools is disclosed and purpose-aligned, but those destinations can expose personal or business contact data to additional workspaces and apps.
LeadGenius integrates with "Google Sheets", "Slack notifications", and "Zapier"
Confirm destination workspaces, channels, spreadsheets, and Zapier automations before sending lead data, and avoid exporting sensitive fields unless needed.