Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
High Intent Lead Finder
v1.0.0Identifies companies showing real-time buying signals like funding, hiring, tech changes, or competitor frustration, then generates personalized outreach at...
⭐ 0· 24·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to use Apify, InVideo AI, and Claude to scrape many sources and produce personalized outreach. That purpose legitimately requires API credentials and network access to those services, yet the registry metadata lists no required env vars, primary credential, or install steps. The absence of declared credentials (Apify token, InVideo API key, Claude key) is inconsistent with the described functionality.
Instruction Scope
SKILL.md explicitly instructs scraping LinkedIn posts/jobs, Crunchbase, Twitter/X, Google News, Reddit, G2/Trustpilot and using Wappalyzer to detect tech changes, then generating outreach and videos. The instructions do not ask the agent to read local files, but they do require broad network scraping and use of third-party APIs. The file includes example inputs containing 'apify_token' and 'invideo_api_key', but the skill metadata does not declare these as required — an operational/information gap that could lead to hidden prompts to provide secrets at runtime.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so it does not write binaries or archives to disk. That reduces installation risk; however, runtime network calls to external services still create an operational risk surface.
Credentials
Although the metadata declares no required environment variables, the SKILL.md demonstrates clear runtime dependencies on secrets (e.g., 'apify_token', 'invideo_api_key', and implicitly a Claude credential). Requiring multiple third‑party credentials for scraping and AI generation is reasonable for the stated purpose, but the omission from declared requirements is a red flag — users may be prompted to paste sensitive tokens without clear disclosure of what will be stored or transmitted.
Persistence & Privilege
The skill does not request 'always: true' and does not claim to modify agent-wide settings or other skills. Autonomous invocation is enabled by default but not exceptional here. No config paths are requested. Combined with the other concerns, monitor whether the skill will be allowed to perform outbound actions (send outreach) autonomously.
What to consider before installing
This skill's description and runtime instructions clearly need API tokens (Apify, InVideo, and likely a Claude key) and will perform broad web scraping and content generation — but the published metadata does not declare those credentials. Before installing or providing secrets, ask the publisher: (1) exactly which credentials are required and why, (2) whether the skill will transmit/store those tokens and where, (3) whether the skill will automatically send outreach (emails/DMs/videos) or only generate drafts for review, (4) how scraped personal data is retained, logged, or shared, and (5) what rate limits and legal compliance (LinkedIn/TOS, Crunchbase, Twitter/X, G2) steps are in place. If you proceed, prefer giving tokens with minimum scopes, test in a sandbox account, and require manual approval before any outbound contact is sent. If the publisher cannot clarify how credentials are handled or refuses to list required env vars in the metadata, consider this a blocking issue.Like a lobster shell, security has layers — review code before you run it.
latestvk97cc96fke01kjtz7dky6xjh79846615
License
MIT-0
Free to use, modify, and redistribute. No attribution required.