Lead Researcher
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lead-researcher Version: 1.0.0 The `research.sh` script constructs a search query string by directly interpolating user-provided command-line arguments (`INDUSTRY`, `PAIN_POINT`, `LOCATION`) without any input sanitization. While the script is a placeholder and currently only `echo`es the constructed query, this pattern represents a significant vulnerability (lack of input sanitization). If this script were to be replaced by or feed its output to an actual web search API call or a shell command, it could lead to shell injection or API injection, allowing an attacker to manipulate the search query or execute arbitrary commands. This is classified as suspicious due to the presence of a clear vulnerability pattern that could enable attacks, even without explicit malicious intent in the current placeholder.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you connect external search or enrichment accounts, the skill may use those accounts, quotas, and permissions while researching leads.
The skill may rely on third-party service accounts or API keys for search and enrichment. That is aligned with lead research, but it is still delegated account/API access that should be scoped.
- Web search capability (Brave API or similar) - Optional: LinkedIn/Apollo for enrichment (if configured)
Use dedicated, least-privilege API keys where possible, avoid sharing personal session cookies, and review the permissions and terms for any enrichment provider you configure.
Lead criteria, company names, and contact details may be processed by third-party services used for search or enrichment.
The described workflow can involve sending search criteria and lead details through external web/social search or enrichment providers. This is expected for the purpose, but the exact provider data boundary depends on the user's configuration.
1. **Search** - Monitors web/social for companies mentioning pain points you target 2. **Enrich** - Extracts company name, decision maker, contact info
Only configure providers you trust, avoid submitting sensitive internal targeting lists unless intended, and verify enriched contact details before using them for outreach.