Lead Hunter
WarnAudited by ClawScan on May 10, 2026.
Overview
This instruction-only lead-generation skill is coherent, but it encourages risky scraping/proxy behavior and can automate contact harvesting, CRM changes, and outreach without clear approval safeguards.
Use this only if you intentionally want automated prospecting. Keep risky scraping sources disabled, use official or licensed data providers, provide least-privilege keys, review leads before CRM writes or outreach, and follow applicable privacy, anti-spam, opt-out, and platform rules.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this workflow could violate platform rules, get accounts banned, or expose the user to legal/compliance risk.
The instructions explicitly describe scraping a service that blocks scraping and recommend proxy/under-radar behavior, which is not a bounded normal API workflow.
⚠️ **HIGH RISK** — LinkedIn actively blocks scraping. Use carefully. ... method: proxy_service ... profiles_per_day: 100 # Stay under radar ... "Use residential proxies only"
Keep LinkedIn scraping disabled unless you have explicit authorization; prefer official APIs or licensed data providers and avoid proxy/evasion tactics.
The agent could send or queue unsolicited outreach to incorrect or non-consenting contacts, harming sender reputation and creating spam/privacy compliance issues.
The scoring workflow can automatically start outreach sequences based on lead scores, but the artifacts do not define user approval or compliance checks before contacting people.
actions: hot: trigger_immediate_outreach warm: add_to_sequence
Require a human review step before any outreach, enforce opt-out/suppression lists, and document compliance requirements for the user’s jurisdiction.
Incorrect, duplicate, or non-compliant personal data could be written into CRMs and downstream sales workflows.
Newly discovered and enriched leads can be pushed directly into CRM systems, so bad scraped data or scoring errors can propagate into business systems.
# Direct CRM Push supported: - hubspot - pipedrive - salesforce - close - apollo ... on_new_lead: action: create_contact
Use dry-run exports by default, add deduplication and validation, require approval before CRM writes, and provide audit/rollback procedures.
Users may not get a clear install-time prompt about which account tokens are needed or what permissions those tokens should have.
The registry does not declare credentials, while the instructions describe API keys for discovery, enrichment, CRM, and webhook integrations.
Required env vars: none - Env var declarations: none - Primary credential: none
Use least-privilege API keys, configure only the providers you need, and avoid granting write access unless CRM/outreach automation is explicitly intended.
Personal lead data could be transmitted to third-party automation tools or endpoints if the webhook is misconfigured or untrusted.
The skill can send the full enriched lead object, likely including emails, phones, and social links, to a user-configured webhook.
on_hot_lead:
url: ${WEBHOOK_URL}
method: POST
payload:
lead: full_lead_objectSend only necessary fields, use trusted HTTPS endpoints, protect webhook secrets, and avoid forwarding phone/email data unless required.