Foxreach
ReviewAudited by ClawScan on May 10, 2026.
Overview
Foxreach is a coherent FoxReach API helper, but it can use your API key to change or launch email campaigns and delete records without explicit confirmation safeguards.
Install only if you trust the FoxReach SDK/CLI source and understand that the API key can manage leads, campaigns, sender accounts, inbox data, and outbound outreach. Before allowing start, delete, bulk add, or account-removal operations, require the agent to show a preview and get your explicit confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misinterprets a request, it could alter or delete FoxReach records or launch outreach to many recipients.
The skill lets the agent run Python SDK calls that can delete data, bulk modify campaigns, and start outreach, but the instructions do not require confirmation, limits, or a preview before these high-impact actions.
allowed-tools: Bash(python *), ... | Delete | `client.leads.delete(lead_id)` | | Start | `client.campaigns.start(campaign_id)` | | Add Leads | `client.campaigns.add_leads(campaign_id, [lead_ids])` | Bulk add |
Require explicit user confirmation and a dry-run/preview for campaign start, delete, bulk add, email-account removal, and sequence/template mutations; show IDs, counts, affected accounts, and reversibility before executing.
Anyone with the API key may be able to access or modify FoxReach leads, campaigns, inbox data, and sender accounts within that workspace.
A FoxReach API key is expected for the integration and can optionally be stored by the CLI config; this is purpose-aligned but sensitive, especially because registry metadata does not declare a primary credential.
Both use API key authentication with keys prefixed `otr_`... Always get the API key from the user or environment... config set-key --key otr_...
Use a least-privileged key if available, prefer secure environment or secret storage, avoid pasting keys into shared logs or chat history, and document where CLI config stores the key.
The setup may fail, or the user may end up installing unreviewed local code before giving it a FoxReach API key.
The reviewed manifest contains only documentation files and no SDK/CLI code or install spec, so this setup depends on code outside the supplied artifacts.
The Python SDK is at `integrations/sdk-python/` and the CLI is at `integrations/cli/`... cd integrations/sdk-python && pip install -e .
Verify the SDK/CLI source before installing, pin or include the expected package, and add an install spec or provenance details for the referenced code.