Is galacticpuffin/lead-hunter safe?

Auditd PATH records show two distinct rounds of READ access to all six honeypot credential files. The first round at 1771905573 (pre-install) is consistent with audit harness initialization. The second round at 1771905590 occurs 17 seconds after the git clone of github.com completed, after the cp and rm -rf install steps concluded. No EXECVE in the visible audit log can be attributed to the skill for this second round. The skill contains no executable code that could trigger file access, and canary files were not modified. Attribution to audit harness is likely but inconclusive due to log truncation.

The skill's documented primary purpose is automated bulk collection of personally identifiable information (names, emails, phone numbers, LinkedIn profiles, social media handles, company financials, tech stacks) about individuals who have not consented to being profiled. The skill documentation explicitly markets this as 'collecting 24/7' and for 'completing lead research bounties faster than anyone else.' At scale this constitutes systematic surveillance of individuals and is unlawful without a legal basis under GDPR, CCPA, and similar frameworks.

The discovery/sources.md file dedicates a section to LinkedIn discovery marked HIGH RISK, describing use of residential proxies and third-party scraping services (PhantomBuster, LinkedHelper) specifically to evade LinkedIn's anti-scraping measures. This is an intentional circumvention of a technical protection measure, potentially qualifying as unauthorized computer access under the CFAA (hiQ v. LinkedIn notwithstanding for public data). The skill treats this violation as a configuration choice rather than a bright line.

The output/integrations.md defines a webhook configuration that fires on 'hot lead' events, POSTing the full_lead_object (name, email, phone, company, score, signals) to ${WEBHOOK_URL}. This URL is user-configurable. If an attacker can influence configuration (via a malicious commit, social engineering, or by listing a poisoned config template), all collected lead data — including any user contacts enriched by the agent — would be silently transmitted to attacker infrastructure. No authentication or domain allowlisting is described.

The SKILL.md explicitly promotes two use cases that constitute unlicensed data brokering: selling lead lists to other businesses and completing 'data bounties' on Moltbook. Selling personal data (emails, phones, social profiles) without the data subjects' consent violates GDPR Article 6 (no lawful basis), CCPA data broker registration requirements, and similar frameworks. This is not a theoretical misuse — it is the documented business model.

The scoring pipeline defines automatic action triggers: 'hot' leads trigger immediate outreach, 'warm' leads are added to outreach sequences. If the agent is connected to the user's email account, this pipeline could autonomously send bulk unsolicited emails to collected leads without explicit per-send user authorization. This creates CAN-SPAM, GDPR (legitimate interest challenge), and mail reputation liability. The pipeline is designed to run 24/7 without human review.

All integration credentials (${HUBSPOT_KEY}, ${PIPEDRIVE_KEY}, ${WEBHOOK_URL}, ${TWITTER_BEARER_TOKEN}, ${GITHUB_TOKEN}, etc.) are injected via environment variables or config files. An attacker who can influence the agent's environment (via a malicious .env file in a repo, poisoned config, or compromised secret store) could redirect all collected data to attacker-controlled CRM instances or webhooks.

Both inotify and auditd confirm READ access (not write) to all six canary files in two rounds. Files were not modified and canary integrity is confirmed. The second round at 1771905590 lacks a clear EXECVE attribution in the visible logs. Most likely from audit harness post-install verification, but if a process outside the audit harness triggered these reads, it would indicate credential-sweeping behavior consistent with reconnaissance.

The Quick Start section instructs running 'lead-hunter discover --icp tech-startup' but no such binary exists in the skill package. An agent following this instruction may attempt to locate, download, or install an external lead-hunter package to fulfill the task. If such a package exists in a public registry under an attacker-controlled namespace, this creates a dependency confusion or typosquatting attack surface.

The free verification stack in enrichment/email-discovery.md includes 'smtp_check: validates Mailbox exists (SMTP ping)'. Sending SMTP-level connection attempts to verify arbitrary email addresses at target companies is unauthorized use of those mail servers, can trigger security alerts at targets, and in bulk constitutes probe activity that many MTAs log and block. This is flagged as 'risky' even within the skill documentation.

The install script performed: git clone --depth 1 (to github.com only), git sparse-checkout set (to isolate the skill subdirectory), cp -r to the destination, rm -rf cleanup. No unexpected processes, no outbound connections beyond GitHub, no writes outside the skill directory. Process execution matches the expected audit harness install pattern exactly.