Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
lead-scraper
v1.0.2自动抓取潜在客户信息 - 智能线索抓取工具,支持多平台客户信息采集、清洗、去重、分类
⭐ 0· 89·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (lead scraping across many platforms) matches the SKILL.md goals. However it claims support for platforms (e.g., LinkedIn, Tianyancha, 企查查) that typically require authentication, scraping headers/cookies, or legal/ToS handling. The skill declares no required credentials or tools, which is underspecified: either the instructions assume the agent already has the ability to access those platforms, or necessary credentials/details are omitted.
Instruction Scope
SKILL.md is instruction-only and provides example natural-language commands for scraping, cleaning, scoring and exporting. It does not tell the agent to read arbitrary local system files except example data-cleaning of a named file (contact_list.xlsx), and it states compliance constraints (robots.txt, no CAPTCHA bypass). But the instructions are high-level and vague about implementation (how to fetch pages, handle rate limits, CAPTCHAs, authenticated sessions, or where data is transmitted), which gives the agent wide discretion and could lead to broad web requests or data collection behaviors.
Install Mechanism
No install spec and no code files — lowest install risk. Nothing will be written to disk by the skill itself during install because there is no installer.
Credentials
The skill requests no environment variables or credentials, yet claims integration with services that commonly require API keys, session cookies, or logins. That omission is an inconsistency: a realistic multi‑platform scraper typically needs credentials or at least cookies/proxies and rate-limit controls. Additionally, the SKILL.md includes a crypto payment address (USDC on Polygon) and WeChat pay info — unrelated to operation but useful to know; monetization info is not a technical requirement but should be considered when trusting the author.
Persistence & Privilege
Flags show always:false and no special config paths or persistent privileges. The skill does not request permanent presence or modify other skills/configs.
What to consider before installing
This skill is an instruction-only description of a scraper rather than an implementation; that makes it low install-risk but leaves important gaps. Before installing or enabling: (1) verify the developer/company identity and reputation, and whether there is real code backing these claims; (2) do NOT provide platform credentials (LinkedIn, Tianyancha, etc.) unless you understand how they will be stored/used; (3) treat the compliance statements as promises only — confirm how robots.txt, rate limits, and CAPTCHA handling are enforced; (4) if you must test, run it in a controlled environment and restrict the agent's ability to exfiltrate data or access sensitive files; (5) consider declining to enable autonomous invocation or limit the skill to manual invocation until you obtain an actual implementation or source code; (6) be aware of legal/privacy risks when scraping personal or commercial contact data and consult legal/compliance if needed.Like a lobster shell, security has layers — review code before you run it.
AIvk97ejvdrhrb4nsescnj484f0px845tawautomationvk97ejvdrhrb4nsescnj484f0px845tawchinesevk97ejvdrhrb4nsescnj484f0px845tawcrawlvk974c4bq4g3nfydhr0sta18e4s844hd3latestvk97ejvdrhrb4nsescnj484f0px845tawleadvk974c4bq4g3nfydhr0sta18e4s844hd3provk97ejvdrhrb4nsescnj484f0px845tawproductivityvk97ejvdrhrb4nsescnj484f0px845tawscrapervk974c4bq4g3nfydhr0sta18e4s844hd3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.