ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Beta Lead Scoring

v1.0.0

AI-powered B2B lead scoring model. Predicts conversion probability for potential customers using machine learning (LightGBM + SHAP). CSV upload or API integr...

0· 35·0 current·0 all-time
by@1477009639zw-blip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description and SKILL.md advertise LightGBM + SHAP and interpretability, but score.py contains a simple rule-based implementation that never imports or uses lightgbm or shap. Declaring heavyweight ML libraries in 'Notes' is disproportionate to the actual code and could mislead users about capabilities or required setup.
Instruction Scope
Runtime instructions are narrow and clear (run python3 score.py --input ...). They do not instruct the agent to read unrelated files, access secrets, or make network calls. However, the SKILL.md claims features (SHAP explanations, model pipeline) that are not implemented by the provided script, so the instructions and claimed scope are inconsistent.
Install Mechanism
There is no install spec (lowest risk). The SKILL.md lists dependencies (lightgbm, shap, pandas) but the package does not include installation steps and the script only uses pandas/numpy. This is not an install risk but is inconsistent and could lead users to install unnecessary/large ML packages.
Credentials
The skill requests no environment variables, credentials, or config paths. The code reads only the supplied CSV and writes an output CSV — no secrets or unrelated system access are requested.
Persistence & Privilege
always:false and no installation or background persistence. The skill does not modify other skills or system settings and does not request persistent presence.
What to consider before installing
This package is not malicious, but it's misleading: it advertises a LightGBM+SHAP model while the included score.py is a simple rule-based scorer. Before installing or using it: (1) review the Python script yourself — it only requires pandas/numpy and does not call external services or handle secrets; (2) if you expect a trained LightGBM model or SHAP explanations, ask the author for the model artifact and the real code that computes SHAP values; (3) avoid installing heavy ML packages unless you actually need them; and (4) run the script on non-sensitive sample data first to confirm behavior. If you need a true ML-backed lead scorer, obtain the trained model and verify how feature importances/SHAP are computed and stored.

Like a lobster shell, security has layers — review code before you run it.

b2bvk97fedrbtc62h6ks7cpa8sfgfs83s9bwlatestvk97fedrbtc62h6ks7cpa8sfgfs83s9bwmlvk97fedrbtc62h6ks7cpa8sfgfs83s9bw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
Binspython3

Comments