Is aspenas/ironclaw-lead-enrichment safe?

https://github.com/openclaw/skills/tree/main/skills/aspenas/ironclaw-lead-enrichment

79
CAUTION

The aspenas/ironclaw-lead-enrichment skill is a pure markdown instruction document with no executable code, no git hooks, and no prompt injection attempts — its static content is clean. The primary risks are behavioral: the skill enables systematic bulk harvesting of personal data (emails via pattern guessing, LinkedIn profiles, company info) without any consent verification mechanism, and relies on an unaudited linkedin-scraper dependency for its core functionality. Canary credential files were opened during the install session, but the monitoring system confirmed no modification or exfiltration occurred, and the access pattern is consistent with monitoring infrastructure performing baseline and integrity checks.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 68/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH Systematic email harvesting at scale -20

The skill instructs the agent to guess email addresses using common corporate patterns, verify them via web search queries, and scrape company website source code for mailto: links. Applied in bulk enrichment mode to 100+ records, this constitutes mass email harvesting without consent, which could be used to build phishing target lists or violate anti-spam laws.

HIGH Bulk personal data collection without consent mechanism -25

The skill is designed to systematically build comprehensive personal profiles (name, email, LinkedIn URL, job title, company, location, education, phone, industry) on large numbers of individuals. No mechanism exists to verify data subjects have consented to profiling, creating significant GDPR/CCPA exposure and enabling large-scale surveillance of individuals.

MEDIUM Canary credential files accessed during install session -20

Six sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened at two points in the session — once at 1771924175 (before clone) and once at 1771924193 (after install). Files were not modified and no corresponding outbound exfiltration was detected. The pre-clone access is most consistent with the monitoring system establishing a baseline; post-install access is consistent with an integrity check. However, the pattern of opening all credential files in sequence is flagged.

MEDIUM Dependency on unaudited linkedin-scraper skill -18

The enrichment pipeline's primary data source is the linkedin-scraper skill, which is not included in this audit. All LinkedIn data access — which is the highest-priority enrichment source — is delegated to that unreviewed component. A malicious linkedin-scraper skill could exfiltrate data, inject content, or behave deceptively when activated by this skill.

MEDIUM /etc/shadow read during install session -12

The shadow password database was read twice during the monitoring window. This is most likely attributable to PAM or SSH session initialization, not the skill itself, but is noted given the sensitivity of this file.

LOW Overly broad activation trigger phrases -12

The skill's description instructs agents to activate on very generic phrases including 'fill in missing data' and 'look up company info'. These phrases could cause the skill to activate unexpectedly during unrelated tasks, potentially causing the agent to initiate external web requests or LinkedIn scraping when the user intended something different.

LOW LinkedIn scraping likely violates platform ToS -8

The skill explicitly instructs the agent to scrape LinkedIn profile pages via the linkedin-scraper dependency. Automated LinkedIn scraping violates LinkedIn's Terms of Service and has been the subject of litigation. Use of this skill could expose users to legal risk.

INFO No executable code or install scripts present 0

The skill contains only SKILL.md and _meta.json. There are no shell scripts, JS/TS/Python files, npm install hooks, git hooks, gitattributes smudge filters, submodules, or symlinks.

INFO No canary file exfiltration detected 0

Despite credential files being opened during the session, the monitoring system confirmed all canary honeypot files remain intact with no detected exfiltration.