Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ultimate Lead Sniper
v1.0.0Detect companies with recent funding, hiring, tech changes, competitor complaints, or LinkedIn signals indicating high buying intent, and generate personaliz...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated goal (detect funding/hiring/tech/LinkedIn signals and produce personalized outreach) aligns with using scrapers + an LLM + video generator. However, the skill documentation explicitly expects Apify and InVideo usage (and implicitly a Claude API) while the registry metadata declares no required credentials or config — this mismatch suggests the metadata is incomplete or inaccurate.
Instruction Scope
SKILL.md instructs scraping LinkedIn posts/jobs, Crunchbase, Twitter/X, Reddit, G2/Trustpilot, Google News, and running Wappalyzer-style tech-stack checks, then sending data to Claude and InVideo. The instructions do not document how authentication to those services is handled, do not declare required secrets for Claude or LinkedIn, and do not mention robots.txt, rate-limits, or legal/ToS constraints. That gives the agent broad, under-specified scraping authority and omits important operational constraints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it doesn't write code to disk or install third-party binaries via the registry. That minimizes installation risk. The remaining risk is from external services the skill expects to call (Apify, InVideo, Claude), not from an installer.
Credentials
Registry metadata lists no required env vars, but the SKILL.md input schema and examples reference 'apify_token' and 'invideo_api_key'. The skill also references Claude AI but provides no declared primary credential for it. Requesting multiple service tokens (Apify, InVideo, possibly Claude, and potentially LinkedIn/Cronchbase auth) is proportional to the task only if those credentials are declared and scoped; here they are not, which is an incoherence and a security/privacy risk.
Persistence & Privilege
The skill does not request always:true and has no install/persistence behavior declared. The default ability for the agent to autonomously invoke the skill is normal; there is no evidence the skill attempts to modify other skills or system-wide settings.
What to consider before installing
Key things to consider before installing: (1) Metadata is incomplete — SKILL.md expects apify_token and invideo_api_key (and likely a Claude API key and LinkedIn/Credential access) but the registry lists no required env vars; ask the publisher to update metadata so you know exactly what secrets are needed. (2) The skill instructs scraping LinkedIn, Crunchbase, Twitter/X, G2/Trustpilot, Reddit and running tech-stack detection — confirm how authentication, rate-limiting, and Terms-of-Service compliance are handled and whether you will be exposing any personal or account credentials. (3) Prefer providing scoped API tokens (least privilege) and never share platform passwords; verify where tokens are stored/used by the agent. (4) If you decide to try it, test with minimal input (max_leads small), review outputs carefully for PII or sensitive data, and require the author to disclose how Claude integration is authenticated and where generated outreach content is sent. (5) If the publisher cannot clarify required credentials and data-handling, treat this skill as risky and avoid installing it.Like a lobster shell, security has layers — review code before you run it.
latestvk979g74y5dghzraq2kzk14rd3n84bcnv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.