by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
Before installing: 1) Inspect the 'mcporter' npm package (npmjs page, GitHub source, recent maintainer activity) to ensure it comes from a trusted publisher. 2) Confirm xpoz-setup's OAuth flow and what tokens/permissions it grants; avoid providing unrelated credentials. 3) Be aware the skill will save lead data locally under data/lead-generation—plan for sensitive-data handling, retention, and deletion. 4) Consider legal/compliance implications of scraping/engaging users on social platforms and ...详细分析 ▾
✓ 用途与能力
Name/description (social lead discovery via Xpoz MCP) aligns with required binary (mcporter), the declared network host (mcp.xpoz.ai) and the SKILL.md calls (mcporter call xpoz.*). The dependency on an xpoz-setup skill for OAuth is coherent with needing user authorization to query Xpoz.
ℹ 指令范围
Instructions stay within the stated purpose (product research via web_search/web_fetch, generate queries, call mcporter to fetch platform posts, score and deduplicate, produce outreach drafts). They instruct the agent to write files under data/lead-generation and to use web fetching for product research — both reasonable for this task but worth noting because they create local artifacts and cause the agent to fetch external webpages.
ℹ 安装机制
Install spec uses npm to install a package named 'mcporter' which provides the mcporter binary. npm installs are common but carry moderate risk because published packages can contain arbitrary code; there are no direct downloads from untrusted URLs or archives, but you should verify the package's provenance (npm page, GitHub repo, maintainer) before installing.
✓ 凭证需求
The skill does not request unrelated environment variables or credentials in its manifest. Authentication is delegated to an xpoz-setup skill (OAuth 2.1), which is proportionate for a service that queries social/post index data.
ℹ 持久化与权限
always:false (no forced global persistence). The skill will write persistent artifacts (product-profile.json, search-queries.json, sent-leads.json) under data/lead-generation and may be invoked autonomously by the agent (default). Consider that stored lead lists may contain personal data and that autonomous invocation + network access increases operational risk if you don't trust the mcporter package or Xpoz service.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.2.02026/2/12
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install lead-generation
镜像加速npx clawhub@latest install lead-generation --registry https://cn.longxiaskill.com