Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Leadgenius
v1.0.0Enrich and score sales leads using AI-powered analysis, data validation, and CRM integration. Use when the user needs lead qualification, contact enrichment,...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (lead enrichment, scoring, CRM sync) reasonably explains the declared env vars LEADGENIUS_API_KEY, CRM_API_KEY, and ENRICHMENT_SERVICE_KEY. However, the skill advertises many integrations (Salesforce, HubSpot, Pipedrive, Google Sheets, Slack, Gmail, Zapier) but only lists a generic CRM_API_KEY and two other keys. It's unclear which key is intended for which integration and whether additional credentials (Slack token, Google OAuth, Gmail access) will be required at runtime. This mismatch is unexpected and reduces clarity about what credentials are genuinely needed.
Instruction Scope
SKILL.md is instruction-only and contains example prompts that ask the agent to process CSVs, validate emails (real-time SMTP checks), push data to various CRMs, update Google Sheets, and send Slack notifications. The document does not explicitly describe how local files are provided/uploaded, how user consent/PII is handled at runtime, or where network requests will be sent beyond the advertised services. Because the instructions are broad and permit sending potentially sensitive lead data to multiple external services, the scope is too permissive and underspecified.
Install Mechanism
No install spec and no code files — the skill is instruction-only. That minimizes on-disk execution risk because nothing is being downloaded or installed by default.
Credentials
Three env vars are required (LEADGENIUS_API_KEY, CRM_API_KEY, ENRICHMENT_SERVICE_KEY), which align with core functionality, but advertised integrations imply additional credentials (Slack, Google, Gmail, Zapier, or per-CRM keys). The single generic CRM_API_KEY may be insufficient or may require broad privileges across an org. The skill does not declare or justify provisioning of Slack/Google/Gmail tokens or the exact scopes needed, which could lead users to supply over-privileged credentials.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request forced always-on presence. Model invocation is enabled (default), which is expected for skills. No instructions indicate modification of other skills or system-wide configs.
What to consider before installing
This skill broadly claims many integrations but only lists three environment keys — ask the publisher for a clear mapping of which keys are used for which integrations and what exact OAuth scopes or API privileges are required. Before installing or supplying credentials: 1) Prefer least-privilege, scoped API tokens (e.g., write-limited CRM tokens or a dedicated integration user) and avoid administrator-level keys. 2) Request documentation about data flows: where lead data is sent, which third parties see it (LeadGenius API vs. enrichment provider), and how PII is stored/retained. 3) Confirm how local files (CSV) are uploaded and whether the agent will read local paths. 4) If you plan to integrate Slack/Google/Gmail/Zapier, provide tokens only when needed and in test/staging environments first. 5) If possible, review the full SKILL.md (untruncated) or source repo to verify behavior — lack of code makes behavior rely entirely on runtime instructions, so clarity is essential. If you cannot obtain these clarifications, treat the skill as higher risk and avoid providing production credentials or sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk975gxs8kfxzdfvwv5pqp9edgs83gsxe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⭐ Clawdis
OSmacOS · Linux · Windows
EnvLEADGENIUS_API_KEY, CRM_API_KEY, ENRICHMENT_SERVICE_KEY