ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Maps Leadgen

v0.1.0

Generate B2B leads from Google Maps using a self-hosted MCP server (`google-maps`) and export to CSV or XLSX. Use when the user asks for lead generation by country/city/industry, wants phone/website/email enrichment, wants deduped lead lists, or asks to send lead files back in chat (especially Telegram file delivery).

0· 1.2k·1 current·1 all-time
by@realowg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate leads via a self-hosted 'google-maps' MCP server and the provided script and SKILL.md implement that flow by calling mcporter tools (maps_search_places, maps_place_details). That purpose is coherent with the code. However, the registry metadata lists no required binaries or env vars while both the SKILL.md and the script require a local 'mcporter' binary and SKILL.md expects a GOOGLE_MAPS_API_KEY precondition — a manifest mismatch.
Instruction Scope
SKILL.md gives a focused workflow (build queries, call maps_search_places, enrich with maps_place_details, export CSV/XLSX, optionally send file via message tool). It does not instruct reading unrelated system files. It does, however, refer to a required env var (GOOGLE_MAPS_API_KEY) and reliance on mcporter configuration; the script itself invokes mcporter via subprocess rather than reading the API key directly, which is reasonable but should be documented in the manifest.
!
Install Mechanism
There is no install spec (instruction-only), which is lower risk in general, but the code calls an external binary ('mcporter') via subprocess and requires openpyxl for XLSX output. The manifest did not declare mcporter as a required binary nor declare dependencies. Executing subprocess calls to an undeclared local binary increases risk if users are unaware and the binary is untrusted or misconfigured.
!
Credentials
SKILL.md explicitly requires a server-compatible GOOGLE_MAPS_API_KEY in the environment, but the registry metadata lists no required environment variables and no primary credential. That discrepancy is important: the skill does rely on credentials (or on mcporter to hold them), and the manifest should declare this so users can judge scope and trust. No unrelated credentials are requested, but the missing declaration is the issue.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and is user-invocable. It can be invoked autonomously (platform default), which is normal; nothing else in the package requests elevated or persistent privileges.
What to consider before installing
Before installing or running this skill: - Verify you or your environment administrator have a trusted mcporter binary configured for the 'google-maps' MCP server; the script will run 'mcporter' locally via subprocess. The manifest does not declare this dependency, so confirm availability and trust manually. - Confirm where the GOOGLE_MAPS_API_KEY is stored and that it is server-compatible (no browser referrer restrictions). The skill's metadata did not declare this required env var—treat this as a documentation omission and do not paste your API key into the agent or chat. - Understand that the script will create CSV/XLSX files and (per SKILL.md) may send them using the platform's message tool (e.g., Telegram). If you do not want files posted to external chats, disable or restrict the message/send capability before using. - If you plan to use XLSX output, ensure openpyxl is installed in the environment where the script runs. - Check that collecting leads at scale complies with Google Maps API terms and applicable privacy laws in target jurisdictions. - Recommended actions: ask the skill author to update the manifest to list required binaries (mcporter) and env vars (GOOGLE_MAPS_API_KEY), or only install/run this skill if you control and trust the mcporter server and local environment. Confidence note: I am moderately confident because the code and SKILL.md implement the claimed functionality, but the manifest omissions (undeclared binary and env var) are clear and could lead to unexpected behavior or risks if not clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk975760g16ferv16vx40zv2vtd80zdr3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments