ABM Outbound
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: abm-outbound Version: 1.0.0 The skill is classified as suspicious due to its inherent high-risk capabilities involving the collection and transmission of sensitive Personally Identifiable Information (PII), including names, emails, phone numbers, and home addresses, to multiple external third-party services. While this behavior is aligned with the stated purpose of multi-channel ABM automation, the extensive handling of PII and reliance on external APIs (apify.com, apollo.io, instantly.ai, scribeless.co) represents a meaningful high-risk activity from a data privacy and security perspective. There is no evidence of intentional malicious behavior, prompt injection, or unauthorized data exfiltration beyond the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Prospects' personal contact details and home addresses may be collected and shared across providers, creating privacy, policy, and compliance risk for the user.
The skill is designed to obtain personal emails, phone numbers, and home addresses through third-party enrichment and skip-trace services. The artifacts do not define consent, minimization, retention, or provider-sharing boundaries for that sensitive data.
"reveal_personal_emails": true, "reveal_phone_number": true ... **Important:** Returns HOME addresses from public records.
Use only with a clear lawful basis and provider terms review; minimize collected fields, set retention rules, and require human review before using enriched personal data.
A mistaken or overly broad run could contact the wrong people, trigger campaign sends, incur provider costs, or harm sender/account reputation.
This raw API workflow can enroll contacts into an email campaign using the user's sending account. The artifacts do not require an explicit dry run, final approval, suppression check, or send/cost cap before campaign enrollment.
curl -X POST "https://api.apollo.io/api/v1/emailer_campaigns/add_contact_ids" ... "contact_ids": ["CONTACT_ID_1", "CONTACT_ID_2"], "send_email_from_email_account_id": "YOUR_EMAIL_ACCOUNT_ID"
Add mandatory confirmation steps, dry-run output, batch size limits, suppression/opt-out checks, and a clear review gate before adding contacts to any outreach campaign.
If these keys are available to the agent, it may be able to spend provider credits, enrich contacts, and modify campaign data under the user's accounts.
The skill expects provider API keys that can access scraping, enrichment, and outreach accounts. This is purpose-aligned, but the registry metadata lists no required credentials or environment variables, making the credential boundary less visible.
export APIFY_API_KEY="your_key" export APOLLO_API_KEY="your_key" export SCRIBELESS_API_KEY="your_key"
Declare the credential requirements, use dedicated low-privilege API keys where possible, avoid storing keys in shared logs, and rotate keys after testing.