Lead Storage
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only lead storage skill, but users should understand that it persists personal lead data to a sheet or database after a supervisor handoff.
Before installing, confirm which sheet or database this skill can write to, how supervisor confirmation tokens are issued, and what retention/access controls apply to stored names, phone numbers, and raw lead text.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at the wrong sheet or database, approved lead records could be inserted into an unintended business system.
This authorizes mutation of an external storage target. It is purpose-aligned and gated by confirmation/schema validation, but users should ensure the destination is explicit and limited.
Write leads to storage through write-only interfaces.
Configure only the intended storage target and require explicit approval before each storage batch.
The skill may rely on whatever sheet or database permissions are available in the runtime environment.
Writing to Google Sheets or a database implies delegated account or database write authority, even though the artifacts do not show credential handling or leakage.
Use when users ask to save approved leads to Google Sheets or DB
Use a least-privilege, write-only credential or tool binding limited to the approved destination.
A weakly controlled supervisor handoff could allow unintended writes if another component supplies a plausible payload and token.
The workflow depends on a Supervisor handoff, but the artifact defines token checking only as presence/non-empty rather than a stronger origin or issuer validation.
Accept payload from Supervisor. ... Verify `confirmation_token` is present and non-empty.
Ensure the supervisor confirmation token is generated by a trusted component and bound to the specific lead batch and destination.
Names, phone numbers, and raw lead text may be stored long-term in the target system.
The schema permits persistent storage of personal lead data and raw text. This matches the storage purpose, but raw text should remain treated as data, not instructions, if reused later.
"name": { "type": "string" }, "phone": { "type": "string" }, ... "raw_text": { "type": "string" }Apply appropriate retention, access controls, and redaction rules for personal data and untrusted raw text.