ClawHub

Apollo Like Leads Apify

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it says, but it can collect and export business contact details in bulk without enough privacy and lawful-use guidance.

Review before installing for real outreach. Use only contacts you are authorized to process, comply with privacy and anti-spam laws and platform terms, keep result counts limited, leave phone collection off unless necessary, use a scoped Apify token, and control where exported lead data is stored and retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README promotes B2B lead scraping, contact collection, and outreach-oriented export workflows but does not warn about privacy, consent, or applicable data-protection and anti-spam obligations. In this context, the omission materially increases the risk that users will collect and process personal data in ways that violate platform terms, privacy law, or email marketing rules.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send lead-search filters and retrieve contact records through a third-party Apify actor, but it does not warn that search criteria and collected lead data will leave the local environment and be processed by an external service. In a lead-generation context, this can expose business targeting strategy and personal/contact data without informed user consent or appropriate privacy review.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest directs the agent to run an external Apify actor using APIFY_TOKEN, but it does not warn the user that credentials will be used and that data will be sent to a third-party network service. In an agent setting, this can lead to silent external actions, unintended credential use, and possible transmission of user-provided lead criteria or other sensitive business data without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal