Local Lead Gen
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly honest about being a lead-generation tool, but it can automatically scrape contact emails and send cold outreach from the user's email account without clear approval, suppression, or unsubscribe enforcement.
Install or run this only if you are comfortable with automated cold outreach from your sending account. Start with --dry-run, manually review leads, add explicit send confirmation, implement unsubscribe and suppression-list enforcement, and use provider-side limits to protect your domain and credentials.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the default pipeline can send unsolicited emails from the user's domain/account, which may create legal, reputational, deliverability, or spam-abuse risk.
For every qualifying low-scoring business where an email is found, the script sends outreach automatically unless --dry-run was provided; no per-recipient approval or suppression check is shown.
if (email) {
const sent = await sendEmail(email, biz.name, score.issues, args.city);Use --dry-run first, review all recipients and message text manually, add explicit confirmation before sending, enforce suppression/unsubscribe lists, and comply with applicable email laws.
A user may believe the workflow is safe to scale when it can instead damage sender reputation or violate outreach rules.
The guidance encourages scaling unsolicited outreach and avoiding spam flags, while the provided script does not enforce unsubscribe, suppression, or compliance controls.
- **Send 10-25 emails per day** per domain to avoid spam flags - **Rotate sending domains** if scaling past 50/day - **Add drip sequences**
Treat the scaling guidance cautiously; require compliance review, unsubscribe handling, rate limits, consent/suppression checks, and human approval before any bulk or drip outreach.
Supplying these keys gives the script access to paid/search/email-sending services, especially the ability to send messages through the user's Resend or SMTP account.
The skill requires provider credentials, including an email-sending key, even though registry metadata lists no required environment variables or primary credential.
- **Brave Search API key** — for business discovery - **Resend API key** (or SMTP credentials) — for sending cold emails - **DeepCrawl API key** (optional)
Use least-privilege API keys, set provider-side sending limits, monitor usage, and revoke keys if the skill is no longer needed.
Discovered contact details and message content leave the local environment and are processed by a third-party email provider.
Recipient email addresses and generated outreach content are transmitted to Resend, which is expected for the stated email-sending purpose but should be visible to the user.
const res = await httpPost('https://api.resend.com/emails', {
from: `${FROM_NAME} <${FROM_EMAIL}>`,
to: [to],
subject,
text: body
}Review provider privacy terms, avoid including sensitive information in outreach content, and only send to reviewed recipients.