Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Outbound Campaign
v1.0.0Scrapes qualified leads, segments by intent, crafts 15 personalized emails, LinkedIn messages, ad hooks, and a video asset for a full outbound campaign in 15...
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes scraping LinkedIn, finding emails, and calling Apify and InVideo APIs (inputs include apify_token and invideo_api_key), but the registry metadata lists no required environment variables or primary credential. The skill's claimed capabilities legitimately need API credentials, so the metadata omission is incoherent.
Instruction Scope
Runtime instructions direct the agent to scrape company and personal LinkedIn data, verify emails, gather recent news and personal posts, and send data to third-party services (Apify, InVideo, Claude). That scope involves collecting personal data and transmitting it externally; the SKILL.md gives no constraints, filtering, or privacy/consent guidance.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so it does not write binaries to disk. That lowers installation risk. (Note: the SKILL.md contains affiliate links to service pages, which is unexpected but not a code-level risk.)
Credentials
The provided INPUT example requires apify_token and invideo_api_key, yet the package metadata declared no required env vars or primary credential. Requesting API keys to scrape and contact leads is reasonable for the described task, but the absence of declared credentials in the registry (and no explanation of what minimal scopes are needed) is a red flag.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges. Autonomous model invocation is allowed (platform default) but is not combined with elevated privileges here.
What to consider before installing
This skill appears to do what it claims (scrape leads, craft sequences, call Apify and InVideo), but the registry metadata omits the API keys it obviously needs and the runtime instructions involve scraping personal data and sending it to third parties. Before installing or running it:
- Ask the publisher to update the registry metadata to explicitly declare required env vars (apify_token, invideo_api_key, and any Claude/other keys) and to state required scopes and minimum permissions for those tokens.
- Request a clear list of external endpoints the skill will call (Apify actor IDs/URLs, InVideo endpoints, Claude endpoints) so you can audit traffic and firewall rules.
- Confirm whether the skill requires any LinkedIn credentials or browser automation that would expose your account — the SKILL.md references LinkedIn scraping but doesn't say how it's authenticated.
- Consider legal/privacy implications and platform TOS: scraping and storing personal LinkedIn/profile/email data can violate terms or privacy laws; get consent where required.
- Use least-privilege test tokens (non-production accounts) when evaluating, and monitor network calls.
- If you need stronger assurance, ask for the exact implementation (Apify actor IDs or code) so you or a reviewer can audit what data is extracted and transmitted.
Given these mismatches and the sensitive nature of the operations, treat the skill as untrusted until the publisher provides the clarifications above.Like a lobster shell, security has layers — review code before you run it.
latestvk972m2kjhda9324zdejd37w0mx840psz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.