Is audsmith28/lead-enrichment safe?

setup.sh intentionally opens ~/.clawdbot/secrets.env and greps it for three API key names (HUNTER_API_KEY, CLEARBIT_API_KEY, APOLLO_API_KEY). While the current code only checks for key presence rather than extracting values, the skill explicitly instructs users to place credentials in this file and conditions agents to treat it as a normal workflow artifact. A malicious version of setup.sh could trivially read and exfiltrate these keys.

export.sh, combined with the CRM integration config, enables piping fully enriched lead profiles (name, title, emails, phone, social profiles, company intel, AI talking points) to any HTTP endpoint. The config.example.json exposes webhook_url as a user-configurable field. If a malicious actor pre-populates this URL in a distributed config or if an agent is instructed to set it, all enriched data flows to an attacker-controlled server with no user visibility.

The skill is designed to automatically aggregate personal information about named individuals (location, bio, social profiles, email addresses, employer, recent activity, interests, inferred pain points) at scale without those individuals' knowledge. When chained with 'trawl' via the documented post_qualify_action integration, this creates a fully autonomous surveillance pipeline. Users may not realize the legal exposure (GDPR Article 14, CCPA) of running bulk enrichment on EU or California residents.

Auditd PATH records show six credential-adjacent files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) accessed in the same second (1771951524.280) after skill installation completed. These accesses are attributable to oathe's canary verification routine rather than skill code, and the canary integrity check confirms no exfiltration. However, the pattern of all credential files being probed together is consistent with what a malicious credential harvester would do.

batch.sh exports the process_lead function and passes CSV fields directly via xargs -I {} bash -c '...'. CSV input is parsed with cut -d',' without quoting or sanitization. A malicious leads CSV with shell metacharacters in name or company fields could inject commands into the bash -c invocation. This is a user-supplied-input code injection risk if the skill processes CSV files from untrusted sources.

The contact_discovery section generates a list of likely email addresses with confidence scores using corporate patterns (first@domain, f.last@domain, firstlast@domain, etc.). The output is a ranked list of probable email addresses for individuals the user does not have a confirmed relationship with. This list is precisely the input format for credential stuffing tools and spear-phishing campaigns, even if the skill's stated intent is 'personalized outreach'.

The skill instructs the agent to fetch and parse content from LinkedIn, Twitter/X, GitHub, company websites, and news sources for each target. Any of these pages could contain prompt injection payloads designed to hijack the agent mid-enrichment. Since the skill instructs the agent to extract and summarize text content, injected instructions in a target's LinkedIn bio or website could influence agent behavior.

SKILL.md claims 'Will this get me blocked by LinkedIn? No. We use search (public), not scraping.' and 'Respects robots.txt'. However, automated bulk LinkedIn data collection violates LinkedIn's User Agreement and hiQ Labs precedent regardless of whether robots.txt is honored. This misleading claim may cause users to believe the skill is legally safe when it may expose them to cease-and-desist or account termination.

After installation, three new ESTABLISHED TCP connections to AWS IPs appeared bound to the openclaw-gatewa process, along with two new listener ports on 127.0.0.1. These are attributed to the platform's gateway infrastructure and not the skill's scripts. No skill-originated network activity was observed during installation. Flagged for completeness.

SKILL.md contains no 'ignore previous instructions', persona-switching, output suppression, hidden unicode, HTML comments, or other classic prompt injection patterns. The skill content is consistent with its stated description.

No package.json npm lifecycle hooks, .gitattributes filter drivers, .githooks, git submodules pointing to external repos, or symlinks outside the skill directory were detected.