ClawHub
Back to skill

Security audit

Lead Hunter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it should be used carefully because it can scrape websites, install scraping dependencies, store lead data, and optionally schedule recurring runs.

Install only if you are comfortable with an autonomous prospecting workflow. Before first use, review the configured sources, approve any crawl4ai/Chromium installation, choose a safe output location, confirm whether Asana credentials are needed, and do not enable cron scheduling unless you want recurring web scraping and local lead storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("Installing crawl4ai...", file=sys.stderr)
    pip = os.path.join(VENV_DIR, "bin", "pip")
    result = subprocess.run(
        [pip, "install", "crawl4ai", "-q"],
        capture_output=True, text=True
    )
Confidence
91% confidence
Finding
result = subprocess.run( [pip, "install", "crawl4ai", "-q"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if result.returncode == 0:
        # Install playwright chromium
        pw = os.path.join(VENV_DIR, "bin", "playwright")
        subprocess.run([pw, "install", "chromium"], capture_output=True, text=True)
        print(json.dumps({"installed": True, "fresh_install": True, "venv": VENV_DIR}))
    else:
        print(json.dumps({"installed": False, "error": result.stderr}))
Confidence
92% confidence
Finding
subprocess.run([pw, "install", "chromium"], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill directs the agent to use network access, shell commands, and local state/files without declaring permissions or constraining scope. That creates a real security and governance issue because users and host systems are not clearly informed that the skill may scrape arbitrary sites, run scripts, and modify local files, increasing the chance of unexpected system impact or policy bypass.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior expands beyond ordinary lead generation into runtime environment creation, third-party package installation, browser automation, and generic scraping. This mismatch is dangerous because it can cause users or orchestration systems to invoke the skill under the assumption of low-risk business automation when it actually performs higher-risk actions with broader system and network reach.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The README states that onboarding can auto-create a cron job, which introduces persistence and scheduled execution on the host. For a lead-generation skill, scheduled runs can be legitimate, but automatic creation of OS-level persistence without clear consent, implementation details, or scope constraints increases risk because it can execute networked scraping repeatedly and outside the user's immediate awareness.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented 4-tier fallback chain includes anti-bot bypass language such as handling Cloudflare and using a managed browser, which materially expands capability beyond ordinary content fetching. In context, this enables stealthier automated access to third-party sites and can be misused to circumvent site protections, increasing legal, operational, and abuse risk even if the stated business purpose is lead research.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The ability to create a virtual environment at runtime broadens the skill from content retrieval into local environment manipulation. In an autonomous agent setting, this increases risk because the skill can prepare an execution environment without prior administrative review or explicit user consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section installs a Python package and a browser binary at runtime, effectively granting the skill package-management and executable-download capabilities. That is materially more powerful than the declared lead-generation purpose and creates supply-chain, persistence, and unexpected system-change risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase "Find me some leads" is broad and likely to overlap with normal conversation, making accidental invocation more likely. For a skill that performs internet research, scraping, onboarding, and possibly scheduler setup, overly permissive activation increases the chance of unintended data collection or external actions from ambiguous user messages.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The on-demand invocation examples are vague and action-oriented, which can cause the agent to execute scraping and research workflows from common-language requests without a clear boundary check. Because this skill can perform multi-step external actions and produce outreach materials, weak invocation specificity raises the risk of unintended runs and unnecessary exposure to third-party sites and user data.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation text is broad enough that the skill may be auto-selected for many generic sales or prospecting requests, even when the user did not intend autonomous scraping, research, file writes, or outreach generation. Over-broad triggering increases the likelihood of unintended execution of networked and shell-capable behavior in contexts where a lighter-weight or safer action was expected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly promotes stealth scraping, Cloudflare bypass attempts, and managed-browser fallback without clear warnings or consent boundaries. This is risky because it normalizes anti-bot evasion and expanded collection from third-party sites, which can create legal, privacy, operational, and reputational exposure for the user or platform.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The onboarding flow directs the agent to make persistent system and account-affecting changes: writing configuration files, creating directories, running the first hunt immediately, and optionally creating a cron job. These actions can modify the user's environment and trigger external activity without an explicit confirmation step or a clear warning that such side effects will occur, which creates a risk of unintended execution, data writes, or scheduled automation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs network-connected installation and browser setup without an explicit, user-facing confirmation at the time of action. In an agent skill, silent dependency and binary downloads can surprise operators, bypass approval expectations, and make later compromise harder to detect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.