ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Real Estate Leads

v1.0.0

Scrape fresh property listings by location, identify motivated sellers with contact info, score opportunities, and generate personalized buyer outreach messa...

0· 50·0 current·0 all-time
by@nicemaths123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md explicitly relies on Apify actors (requires an Apify token) and an external model ('Claude AI') to generate outreach, which are coherent with the described lead-generation purpose — however the registry metadata declares no required environment variables or primary credential. The absence of declared credentials (Apify token, model API key) is an inconsistency: legitimate operation would need at least those credentials.
!
Instruction Scope
Instructions direct scraping major property portals and cross-referencing Google to extract owner/agent contact details (names, emails, phone numbers) and to generate outreach messages. The workflow does not instruct reading local files or env vars beyond an input JSON, but it does instruct collecting personal contact data and sending data to external services (Apify, Claude). The SKILL.md sample includes an apify_token field inside input despite no declared env vars — this diverges from the metadata and expands the skill's runtime scope in ways the registry doesn't reflect.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer in the package itself.
!
Credentials
Registry declares no required env vars or primary credential, but the SKILL.md requires an Apify token (sample input) and implicitly requires access to a Claude/Anthropic API key or equivalent to generate outreach. Those missing declarations are disproportionate to what the metadata communicates and hide required credentials. Additionally, the skill requests collection of potentially sensitive personal contact data (phone numbers, emails) which increases the sensitivity of required secrets/access and data-handling requirements.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request persistent platform privileges in the registry. There is no install script that changes other skills or system-wide settings visible in the package.
Scan Findings in Context
[no_scan_findings] expected: The skill is instruction-only and the regex scanner found no code to analyze. This is expected, but it means calls to external services (Apify, Claude) and scraper behavior were not examined by the scanner.
What to consider before installing
Before installing or running this skill: (1) Confirm how API keys will be provided — the SKILL.md expects an Apify token and a model API key (Claude/Anthropic) but the registry lists none; avoid entering long-lived credentials without knowing where they are stored. (2) Verify who runs the Apify actors and whether those specific actor IDs are trustworthy; actor code and endpoints run outside your environment. (3) Review legal and privacy implications: the skill scrapes personal contact data and generates outreach — ensure compliance with site terms of service, anti-scraping laws, and data-protection rules (e.g., GDPR, telemarketing laws) before contacting people. (4) Ask the publisher to declare required env vars and explain data retention/storage: where do scraped leads go, who can access them, and are they transmitted to third-party servers? (5) Prefer ephemeral tokens and least-privilege credentials; monitor requests and billing for third-party services. (6) If you need higher assurance, request the full implementation (actor definitions, outbound endpoints) or run equivalent scraping/enrichment under your own controlled account rather than delegating credentials to an unknown skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk975dn42hvew5zxy2p2dg1gpe183y2kf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments