ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Lead Intelligence Generator

v1.0.1

Generates detailed B2B lead intelligence reports with company insights, pain points, sales opportunities, and personalized outreach strategies for targeted p...

1· 119·0 current·0 all-time
by@syed-tahmid99
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims a free tier that needs 'no API key' but the runtime instructions require sending X-Access-Token to https://ai-lead-intelligence-acet.onrender.com. The registry lists no required env vars/credentials, yet the SKILL.md and test_api.py expect an access token. The backend domain is an onrender.com app with no homepage or publisher info — this mismatch between claimed capability and required credentials is unexplained.
Instruction Scope
Runtime instructions are narrowly scoped to collecting company, persona, and optional URL and POSTing them to the backend, which is consistent with lead-intel functionality. However, the skill instructs the agent to transmit user inputs (and an API key) to an externally hosted endpoint of unknown provenance, and the SKILL.md advertises third-party enrichment (Hunter.io, Groq LLaMA 3) without documenting required third-party credentials or data flows.
Install Mechanism
Instruction-only skill with no install spec and no packages to download; lowest installation risk. The included test_api.py only demonstrates sending requests to the backend and contains a placeholder token.
!
Credentials
Registry metadata declares no required environment variables or primary credential, yet the runtime instructions require a user API key sent as X-Access-Token. That mismatch is disproportionate and unexplained. Also the SKILL.md links to 'your-lemonsqueezy-link.com' to purchase an API key — an unexpected and unverified payment/credential flow for a skill with no verified publisher.
Persistence & Privilege
Skill does not request always:true and has no install steps that modify agent/system configuration. It does allow normal autonomous invocation (default), which is platform-default and not by itself a red flag.
What to consider before installing
This skill asks you (or the agent) to send company data and an API key to an unknown third‑party backend. Before installing or using it: (1) Do not provide real API keys or sensitive customer data — test only with dummy values. (2) Ask the publisher for a homepage, privacy policy, and details about where data is stored, retention, and who can access it. (3) Clarify the free-tier claim versus the documented API-key requirement. (4) Prefer skills hosted by known vendors or that declare required env vars in the registry so you can control credentials. If you cannot verify the backend and its data-handling practices, avoid using this skill for real lead/customer data.

Like a lobster shell, security has layers — review code before you run it.

aivk972356h20wtdq5avaqkjzs4kx832t04b2bvk972356h20wtdq5avaqkjzs4kx832t04latestvk972356h20wtdq5avaqkjzs4kx832t04lead-generationvk972356h20wtdq5avaqkjzs4kx832t04outreachvk972356h20wtdq5avaqkjzs4kx832t04salesvk972356h20wtdq5avaqkjzs4kx832t04

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments