ClawHub

Cold Outreach — Free Methodology

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cold-email workflow guide, but it needs review because it can automate unsolicited email and contact-data handling without strong safeguards.

Review this carefully before installing or using it. Only use it for lawful outreach where you can verify data-source permissions, anti-spam rules, opt-out language, suppression handling, and retention limits. Do not let an agent or n8n workflow send live emails until you have approved the lead list, message copy, schedule, and volume. Use a dedicated sending account with revocable credentials, and inspect any external n8n workflow JSON before importing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill provides operational guidance for sourcing contacts, sending cold email, and handling replies, but it does not include an explicit warning about privacy law, anti-spam obligations, consent requirements, or organizational policy constraints. In this context, that omission is risky because users may treat the workflow as approved-by-default and run campaigns that violate CAN-SPAM, GDPR/PECR, platform terms, or internal compliance rules.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The n8n automation section describes a workflow that will automatically send emails and modify tracking data in Google Sheets, but it does not clearly warn users about the autonomous side effects, review checkpoints, or failure modes. That is dangerous because a misconfigured workflow could contact unintended recipients at scale, send follow-ups after opt-out, or corrupt status tracking, increasing legal, privacy, and reputational harm.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest description is broad enough to trigger on many generic sales, automation, or email-related tasks, which can cause the agent to invoke this skill outside a narrowly intended context. Because this skill covers end-to-end cold outreach execution, over-activation increases the chance of unsolicited messaging workflows being selected when the user only asked for drafting, CRM help, or general communication support.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file gives detailed instructions for sourcing, verifying, exporting, and storing identifiable business contact data, including emails and LinkedIn URLs, but provides no privacy, consent, lawful-basis, or jurisdictional compliance guidance. In a cold-outreach skill, this omission is material because it operationalizes personal data collection at scale and could lead users to violate anti-spam and data protection rules.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to export, upload, and process lead CSVs containing personal contact data across Apollo, Hunter, Google Sheets, Gmail, and n8n without any privacy, consent, retention, or legal-compliance guidance. In a cold-outreach skill, this omission is materially risky because it operationalizes personal-data handling at scale and may lead users to conduct unlawful or non-compliant processing under regimes such as GDPR, CAN-SPAM, or similar anti-spam/privacy laws.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal