classify-leads

The package performs an expected function (classifying leads via an external LLM) and does not show direct signs of malware or obfuscated backdoors in the provided fragment. The principal security concern is privacy/data-exfiltration: lead records (potentially containing PII or sensitive business details) are transmitted to a third-party LLM without documented redaction, retention, or privacy safeguards. There's also transitive trust risk when composing with upstream scraping skills. Recommend adding explicit warnings and opt-in behavior, implementing data minimization/redaction, auditing composed skills, and reviewing logging to ensure API keys and sensitive data are not accidentally recorded. Overall, treat this as a moderate security risk for environments with sensitive data and require organizational review before use.