Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
High Intent Leads
v1.0.0Detect companies showing real-time buying signals like funding, hiring, tech changes, or competitor pain, then generate hyper-personalized outreach at peak i...
⭐ 0· 29·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description (real-time buying signals → personalized outreach) align with the instructions: scraping news, LinkedIn, Crunchbase, Twitter/X, Reddit, G2/Trustpilot and using Wappalyzer, scoring signals, and generating outreach with Claude and InVideo. Requiring Apify scrapers, Wappalyzer, a video API and an LLM for personalization is reasonable for this use case.
Instruction Scope
The SKILL.md gives a detailed multi-step workflow that stays within lead-gen scope (discover signals, score intent, produce outreach). It instructs the agent to run many external scrapers and to call InVideo and Claude. It does not instruct reading local system files or unrelated credentials, but it does imply transmitting scraped company/person data to external services (Apify, InVideo, Claude). The SKILL.md is broad — it expects networked scraping and third-party API usage, which is expected for the purpose but important to verify (how and where data is sent).
Install Mechanism
Instruction-only skill with no install spec and no code files. Low technical install risk because nothing is written to disk by an installer. Operational risk comes from the network actions described in the instructions rather than an install-time payload.
Credentials
The SKILL.md explicitly uses 'apify_token' and 'invideo_api_key' in its example inputs and relies on Claude AI, but the skill metadata declares no required env vars or primary credential. This mismatch is a concrete incoherence: the skill will require API keys to function but does not request or declare them. Users need to know which credentials the skill will ask for and where those creds will be stored or used. Also confirm whether providing these keys grants the skill ability to make arbitrary API calls under your account (billing/abuse risk).
Persistence & Privilege
The skill is not 'always' installed and does not request persistent system-level privileges. It is user-invocable and can run autonomously per platform defaults; that is normal. No evidence it writes/modifies other skills or system settings.
What to consider before installing
This skill appears to do what it says (scrape many public sources, score intent, create personalized outreach), but it has an important mismatch: the runtime instructions expect API keys (Apify, InVideo, and likely a Claude API key) while the registry metadata lists no required credentials. Before installing or running: 1) Ask the skill author to list all required environment variables/credentials and explain exactly how they are used and stored. 2) Confirm whether API calls (scraping, video generation, LLM calls) will run under your accounts and incur charges. 3) Verify data flows and retention: where is scraped data sent/stored, and is PII handled appropriately (GDPR/other compliance)? 4) Check terms-of-service and legal risk for scraping LinkedIn, Crunchbase, Twitter/X, G2, etc. 5) Test on a small, non-sensitive dataset first (limit max_leads, lower lookback_days). 6) If you don't want the skill to access external APIs, do not provide API keys. If the author cannot clearly justify and document the required credentials and data flows, treat the skill as high risk and avoid installing it.Like a lobster shell, security has layers — review code before you run it.
latestvk978vxenkb51jwdc51x8yge6vs840zvd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.