ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apify Lead Generation

v1.0.1

Generates B2B/B2C leads by scraping Google Maps, websites, Instagram, TikTok, Facebook, LinkedIn, YouTube, and Google Search. Use when user asks to find leads, prospects, businesses, build lead lists, enrich contacts, or scrape profiles for sales outreach.

4· 1.5k·11 current·11 all-time
by@protoss70
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Skill name/description (lead generation via Apify) match what it requires and does: node, mcpc, and APIFY_TOKEN are appropriate and necessary to list/fetch/run Apify Actors and download datasets.
Instruction Scope
SKILL.md and the included script instruct the agent to fetch actor schemas, start actor runs, poll status, and download results from api.apify.com only. The instructions do not read unrelated files or other environment variables. Note: the workflow will surface scraped data into chat (quick answer) or write outputs to files in the current working directory — that may expose personal/contact data in chat or local files if results contain PII.
Install Mechanism
Install uses an npm package (@apify/mcpc) to provide the mcpc CLI. This is an expected, traceable install mechanism for a Node-based Apify CLI, but npm packages carry typical supply-chain risk; no arbitrary URL downloads or extract steps are used.
Credentials
Only APIFY_TOKEN is required and declared as the primary credential, which is proportionate for starting runs and fetching datasets on api.apify.com. There are no unrelated secrets requested. Users should note APIFY_TOKEN grants access to their Apify account and datasets, so scope and permissions matter.
Persistence & Privilege
The skill does not request always:true or other elevated platform-wide persistence. It does not modify other skills or system-wide settings. It will write output files to the current working directory as expected.
Assessment
This skill appears internally coherent for running Apify Actors. Before installing: 1) Ensure the APIFY_TOKEN you provide has minimal necessary privileges (use a limited API token if possible) because it can start runs and access datasets. 2) Be aware scraped results may include publicly-available personal/contact data — avoid exposing sensitive records in chat (the "quick answer" option will print top results into conversation). 3) Review any specific Actor's README/permissions before running it (the SKILL.md points to checking actor permissions: LIMITED_PERMISSIONS vs FULL_PERMISSIONS). 4) Accept the usual npm risk for installing @apify/mcpc (audit package version from npm/github if you want extra assurance). 5) Confirm scraping these platforms complies with your legal/terms-of-service constraints and your organization’s data-handling policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk978sg3g5v20zdmz9zkscktqps80z085

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, mcpc
EnvAPIFY_TOKEN
Primary envAPIFY_TOKEN

Install

Node
Bins: mcpc
npm i -g @apify/mcpc

Comments