ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lead Generation

v2.2.0

Lead Generation — Find high-intent buyers in live Twitter, Instagram, and Reddit conversations. Auto-researches your product, generates targeted search queries, and discovers people actively looking for solutions you offer. Social selling and prospecting powered by 1.5B+ indexed posts via Xpoz MCP.

12· 3.3k·13 current·13 all-time
by@atyachin·duplicate of @atyachin/social-lead-gen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (social lead discovery via Xpoz MCP) aligns with required binary (mcporter), the declared network host (mcp.xpoz.ai) and the SKILL.md calls (mcporter call xpoz.*). The dependency on an xpoz-setup skill for OAuth is coherent with needing user authorization to query Xpoz.
Instruction Scope
Instructions stay within the stated purpose (product research via web_search/web_fetch, generate queries, call mcporter to fetch platform posts, score and deduplicate, produce outreach drafts). They instruct the agent to write files under data/lead-generation and to use web fetching for product research — both reasonable for this task but worth noting because they create local artifacts and cause the agent to fetch external webpages.
Install Mechanism
Install spec uses npm to install a package named 'mcporter' which provides the mcporter binary. npm installs are common but carry moderate risk because published packages can contain arbitrary code; there are no direct downloads from untrusted URLs or archives, but you should verify the package's provenance (npm page, GitHub repo, maintainer) before installing.
Credentials
The skill does not request unrelated environment variables or credentials in its manifest. Authentication is delegated to an xpoz-setup skill (OAuth 2.1), which is proportionate for a service that queries social/post index data.
Persistence & Privilege
always:false (no forced global persistence). The skill will write persistent artifacts (product-profile.json, search-queries.json, sent-leads.json) under data/lead-generation and may be invoked autonomously by the agent (default). Consider that stored lead lists may contain personal data and that autonomous invocation + network access increases operational risk if you don't trust the mcporter package or Xpoz service.
Assessment
Before installing: 1) Inspect the 'mcporter' npm package (npmjs page, GitHub source, recent maintainer activity) to ensure it comes from a trusted publisher. 2) Confirm xpoz-setup's OAuth flow and what tokens/permissions it grants; avoid providing unrelated credentials. 3) Be aware the skill will save lead data locally under data/lead-generation—plan for sensitive-data handling, retention, and deletion. 4) Consider legal/compliance implications of scraping/engaging users on social platforms and the content of outreach messages (spam/GDPR). 5) If possible, test in an isolated environment or sandbox and limit autonomous invocation until you trust the package and remote host (mcp.xpoz.ai).

Like a lobster shell, security has layers — review code before you run it.

latestvk976w1q76j6g0ch76pv1h2xghs8112bm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmcporter

Install

Install mcporter (npm)
Bins: mcporter
npm i -g mcporter

Comments