lead-gen-website-pipeline Security Report — Low Risk | ClawSafe

10 /100

lead-gen-website-pipeline

Automated lead generation pipeline that finds local businesses with weak/no websites, AI-generates custom demo sites, deploys to Vercel, and runs a 5-email cold outreach drip sequence via AgentMail.

This is a documentation-only skill describing a legitimate lead generation pipeline. No executable code, scripts, or dependencies are included in the package.

Skill Namelead-gen-website-pipeline

Duration33.8s

Enginepi

✓

Safe to install

Safe to use. The skill is purely instructional and references node scripts that do not exist in this package. If deploying, ensure the referenced node scripts from the GitHub repo are reviewed separately.

Findings 2 items

Severity	Finding	Location
Low	Documentation-only package without implementation Doc Mismatch SKILL.md references node scripts (poll-approved-leads.js, run-poller.js, send-outreach.js) and a GitHub repo that contain the actual implementation. This package contains only documentation. `git clone https://github.com/RazzleDazzleI/lead-gen-pipeline.git` → Code review should target the GitHub repository, not this documentation package.	`SKILL.md:1`
Info	Broad API key requirements Priv Escalation The skill requires multiple high-value API keys (Google, OpenAI, Anthropic, Vercel, AgentMail). While documented, these represent significant permissions if the referenced node scripts were executed. `ANTHROPIC_API_KEY \| Anthropic \| Claude for spec generation` → Ensure API keys have minimal scopes and are not used in environments with broader permissions than necessary.	`SKILL.md:31`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write operations in package
Network	`READ`	`READ`	✓ Aligned	API calls to Google Places, Vercel, AgentMail are documented and declared
Shell	`NONE`	`NONE`	—	No shell scripts or node binaries in package
Environment	`WRITE`	`WRITE`	✓ Aligned	API keys declared in SKILL.md metadata
Skill Invoke	`NONE`	`READ`	✓ Aligned	Standard skill invocation capability
Clipboard	`NONE`	`NONE`	—	No clipboard access documented
Browser	`NONE`	`NONE`	—	No browser automation documented
Database	`NONE`	`READ`	✓ Aligned	Google Sheets API access declared

3 findings

🔗

Medium External URL 外部 URL

http://127.0.0.1:11434

references/env-example.md:29

📧

Info Email 邮箱地址

[email protected]

references/env-example.md:22

📧

Info Email 邮箱地址

[email protected]

references/env-example.md:25

File Tree

5 files · 14.4 KB · 418 lines

Markdown 4f · 388L JSON 1f · 30L

├─ ▾ 📁 references

│ ├─ 📝 drip-sequence.md Markdown 68L · 2.3 KB

│ ├─ 📝 env-example.md Markdown 32L · 1.0 KB

│ └─ 📝 google-sheet-setup.md Markdown 52L · 1.6 KB

├─ 📋 _meta.json JSON 30L · 809 B

└─ 📝 SKILL.md Markdown 236L · 8.7 KB

Security Positives

✓ No executable code or scripts in the package — purely documentation

✓ No obfuscation, base64 encoding, or anti-analysis techniques

✓ All API key requirements are explicitly declared in SKILL.md metadata

✓ No sensitive file paths accessed (no ~/.ssh, ~/.aws, .env reads)

✓ No external IP addresses or C2 communication patterns

✓ No credential harvesting beyond what is declared as required for the pipeline

✓ No supply chain concerns since no dependencies are included

Scan Report

Findings 2 items

File Tree

Security Positives