ABM Outbound
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Prospects' personal contact details and home addresses may be collected and shared across providers, creating privacy, policy, and compliance risk for the user.
The skill is designed to obtain personal emails, phone numbers, and home addresses through third-party enrichment and skip-trace services. The artifacts do not define consent, minimization, retention, or provider-sharing boundaries for that sensitive data.
"reveal_personal_emails": true, "reveal_phone_number": true ... **Important:** Returns HOME addresses from public records.
Use only with a clear lawful basis and provider terms review; minimize collected fields, set retention rules, and require human review before using enriched personal data.
A mistaken or overly broad run could contact the wrong people, trigger campaign sends, incur provider costs, or harm sender/account reputation.
This raw API workflow can enroll contacts into an email campaign using the user's sending account. The artifacts do not require an explicit dry run, final approval, suppression check, or send/cost cap before campaign enrollment.
curl -X POST "https://api.apollo.io/api/v1/emailer_campaigns/add_contact_ids" ... "contact_ids": ["CONTACT_ID_1", "CONTACT_ID_2"], "send_email_from_email_account_id": "YOUR_EMAIL_ACCOUNT_ID"
Add mandatory confirmation steps, dry-run output, batch size limits, suppression/opt-out checks, and a clear review gate before adding contacts to any outreach campaign.
If these keys are available to the agent, it may be able to spend provider credits, enrich contacts, and modify campaign data under the user's accounts.
The skill expects provider API keys that can access scraping, enrichment, and outreach accounts. This is purpose-aligned, but the registry metadata lists no required credentials or environment variables, making the credential boundary less visible.
export APIFY_API_KEY="your_key" export APOLLO_API_KEY="your_key" export SCRIBELESS_API_KEY="your_key"
Declare the credential requirements, use dedicated low-privilege API keys where possible, avoid storing keys in shared logs, and rotate keys after testing.