Lead Generation
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent lead-generation skill, but users should notice its Xpoz OAuth/MCP dependency, local saved lead data, and packaging metadata inconsistencies.
Before installing, confirm you trust Xpoz, the mcporter npm package, and the skill package despite the metadata mismatch. Be comfortable with product/search terms being sent to mcp.xpoz.ai, review saved data under data/lead-generation, and edit any outreach drafts before sending.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Xpoz account token may be used for lead-search API calls.
The skill requires an Xpoz OAuth-backed account to call the provider. This is expected for the service, but it grants delegated account/API access.
"credentials": "Xpoz account (free tier) — auth via xpoz-setup skill (OAuth 2.1)"
Use the intended Xpoz account, review what access xpoz-setup grants, and revoke the token if you stop using the skill.
Your product keywords, target audience assumptions, and prospecting searches may be visible to the Xpoz service.
The skill sends generated product and lead-search queries to the Xpoz MCP service and receives social post/user results. This external MCP data flow is disclosed and purpose-aligned.
"network": ["mcp.xpoz.ai"] ... mcporter call xpoz.getTwitterPostsByKeywords query="GENERATED_QUERY"
Avoid putting confidential product or customer information into search queries unless you are comfortable sharing it with Xpoz.
Saved files can influence future lead searches and may contain business strategy or prospect identifiers.
The skill persists product profiles, search queries, and sent-lead tracking for reuse across runs.
Save to `data/lead-generation/product-profile.json` and `search-queries.json` ... Deduplicate via `data/lead-generation/sent-leads.json`
Periodically inspect or delete the data/lead-generation files if they become outdated or should not persist.
It is harder to confirm exactly which publisher/version produced this package.
The bundled metadata differs from the supplied registry metadata and SKILL.md version, which is a provenance/packaging inconsistency rather than direct evidence of malicious behavior.
"ownerId": "kn76bnw12ah5rp8g47ek22wacx80zasb", "slug": "lead-generation", "version": "2.2.0"
Verify the skill source, homepage, and installed package before authorizing OAuth or repeated use.
If copied without editing, outreach could sound like a personal claim that may not be true for the sender.
The outreach template includes a personal-experience claim. The skill mitigates this by requiring disclosure and user review before sending.
"I had the same problem! Ended up using [Product] ... (Disclosure: I work with [Product])" ... "Draft only; user reviews/sends"
Review and edit all outreach drafts so they are accurate, transparent, and compliant with platform rules.