apollo-lead-finder
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill operates via Python scripts that perform network requests and local file operations. The execution flow is transparent and follows the instructions provided in the markdown documentation.
- [EXTERNAL_DOWNLOADS]: The skill fetches professional lead data from Apollo.io and interacts with Supabase for data storage. Both are established, well-known services. Network operations are performed using the standard Python
urlliblibrary without suspicious execution patterns. - [CREDENTIALS_UNSAFE]: The skill documentation correctly instructs users to store sensitive API keys and database URLs in a
.envfile. No hardcoded secrets were found in the scripts; the examples provided in the documentation use standard placeholders. - [DATA_EXFILTRATION]: Data movement is restricted to the skill's primary purpose: retrieving lead information from a professional API and saving it to a user-owned database or local CSV files. No unauthorized transmission of local sensitive files (like SSH keys or AWS credentials) was detected.
- [PROMPT_INJECTION]: The skill instructions do not contain attempts to override agent safety protocols or hijack behavior. It includes explicit safety markers, such as warning the agent never to skip user confirmation for database writes.
- [INDIRECT_PROMPT_INJECTION]: While the skill processes untrusted data from the Apollo API, it implements a 'human-in-the-loop' strategy. The agent is instructed to present search results to the user for review before enrichment, and again before upserting to the database, which mitigates the risk of processing malicious content found in lead profiles.
Audit Metadata