Lead Hunter
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lead-hunter Version: 1.0.1 The skill is designed for lead generation and enrichment, which involves collecting personal and company data and integrating with various external APIs (Twitter, GitHub, Hunter.io, Apollo.io, CRMs) and webhooks. While the core functionality aligns with its stated purpose, the skill includes methods like web scraping (e.g., Product Hunt, and explicitly warned-against LinkedIn scraping in `discovery/sources.md`) and SMTP pings for email verification (`enrichment/email-discovery.md`). Although the documentation provides clear warnings and recommendations for safe usage, these capabilities carry inherent risks such as IP bans, account suspensions, or negative impact on sender reputation, classifying them as risky without clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this workflow could violate platform rules, get accounts banned, or expose the user to legal/compliance risk.
The instructions explicitly describe scraping a service that blocks scraping and recommend proxy/under-radar behavior, which is not a bounded normal API workflow.
⚠️ **HIGH RISK** — LinkedIn actively blocks scraping. Use carefully. ... method: proxy_service ... profiles_per_day: 100 # Stay under radar ... "Use residential proxies only"
Keep LinkedIn scraping disabled unless you have explicit authorization; prefer official APIs or licensed data providers and avoid proxy/evasion tactics.
The agent could send or queue unsolicited outreach to incorrect or non-consenting contacts, harming sender reputation and creating spam/privacy compliance issues.
The scoring workflow can automatically start outreach sequences based on lead scores, but the artifacts do not define user approval or compliance checks before contacting people.
actions: hot: trigger_immediate_outreach warm: add_to_sequence
Require a human review step before any outreach, enforce opt-out/suppression lists, and document compliance requirements for the user’s jurisdiction.
Incorrect, duplicate, or non-compliant personal data could be written into CRMs and downstream sales workflows.
Newly discovered and enriched leads can be pushed directly into CRM systems, so bad scraped data or scoring errors can propagate into business systems.
# Direct CRM Push supported: - hubspot - pipedrive - salesforce - close - apollo ... on_new_lead: action: create_contact
Use dry-run exports by default, add deduplication and validation, require approval before CRM writes, and provide audit/rollback procedures.
Users may not get a clear install-time prompt about which account tokens are needed or what permissions those tokens should have.
The registry does not declare credentials, while the instructions describe API keys for discovery, enrichment, CRM, and webhook integrations.
Required env vars: none - Env var declarations: none - Primary credential: none
Use least-privilege API keys, configure only the providers you need, and avoid granting write access unless CRM/outreach automation is explicitly intended.
Personal lead data could be transmitted to third-party automation tools or endpoints if the webhook is misconfigured or untrusted.
The skill can send the full enriched lead object, likely including emails, phones, and social links, to a user-configured webhook.
on_hot_lead:
url: ${WEBHOOK_URL}
method: POST
payload:
lead: full_lead_objectSend only necessary fields, use trusted HTTPS endpoints, protect webhook secrets, and avoid forwarding phone/email data unless required.