PhantomBuster
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad request could run the wrong PhantomBuster automation or stop a running job.
The skill exposes commands to start and stop remote PhantomBuster agents and pass run arguments. This matches the stated purpose, but it can trigger external automation and consume account resources.
python3 pb.py launch <agent-id> --argument '{"search": "CEO fintech"}' ... python3 pb.py abort <agent-id>Use explicit agent IDs and review launch arguments before running or aborting automations.
Anyone with access to this API key could control the connected PhantomBuster workspace within the key's permissions.
The skill requires a PhantomBuster API key to perform account actions. This is expected for the integration, but the registry metadata does not declare a required credential.
export PHANTOMBUSTER_API_KEY=your-api-key-here
Provide the key only in a trusted environment, rotate it if exposed, and use the least-privileged PhantomBuster access available.
Fetched results may contain sensitive lead/profile information or untrusted scraped content that the agent could reuse in later work.
The skill can bring PhantomBuster result data, including scraped lead or social profile data, into downstream workflows. This is purpose-aligned but may involve personal or untrusted external data.
Download the actual result data (CSV) from an agent's latest run ... perfect for integrating PhantomBuster data into your workflows.
Treat fetched outputs as sensitive and untrusted; review them before sharing, storing, or using them to drive further automated actions.
It may be harder to verify who maintains the skill or compare it against an upstream project.
The registry does not provide a verified source or homepage for the skill. The bundled code is readable and purpose-aligned, so this is a provenance note rather than a behavior concern.
Source: unknown; Homepage: none
Review the included pb.py before use and prefer verified sources for account-control integrations.