ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lead Researcher

v1.0.0

Automated lead research and enrichment for B2B sales. Finds companies matching your criteria, enriches with contact data, and generates personalized outreach messages.

2· 1.7k·2 current·2 all-time
by@rjrileybuisness-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill advertises full lead enrichment (finding contacts, emails, scoring, outreach) yet includes no code or declared environment variables to perform enrichment or contact resolution. The included research.sh only constructs and prints a search query; it does not call web APIs, third-party enrichment services, or perform scraping. This is disproportionate to the claimed capability.
Instruction Scope
SKILL.md tells the agent to 'monitor web/social' and optionally use LinkedIn/Apollo but is vague about exact APIs, endpoints, or whether the agent should scrape sites. It does not instruct reading local files or unrelated environment variables, but its broad language gives the agent wide discretion to perform network scraping or lookups if implemented later.
Install Mechanism
There is no install spec. The only shipped code is a small, non-executing Bash script that builds and echoes queries. Nothing is written to disk beyond the provided files and no remote downloads or extracts are present.
Credentials
No credentials or env vars are declared, yet the skill explicitly mentions optional LinkedIn/Apollo enrichment (which normally requires API keys/accounts). The absence of declared required credentials reduces transparency and is a mismatch, but not necessarily malicious.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request or claim any elevated platform privileges or persistent system modifications.
What to consider before installing
This skill's description promises automated enrichment but the shipped files do not implement it. Before installing or running: (1) Ask the publisher which APIs/endpoints the skill will call and what credentials are required; preferred skills explicitly list required env vars and endpoints. (2) Do not give account credentials until you verify the integration and trust the source. (3) Be aware that performing scraping/LinkedIn lookups can violate terms of service and privacy laws; ensure compliance. (4) If you test it, do so in a sandboxed environment and monitor outbound network traffic to confirm where data is sent. (5) Prefer skills that provide concrete implementation or documented, well-known API usage (e.g., official provider domains) rather than vague instructions that grant the agent broad discretion.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ttyce3yw4pj88j16javmv580y0sj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments