Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ultimate lead scraper
v1.0.0Scrapes and qualifies B2B leads from Google Maps, Yellow Pages, Yelp, and LinkedIn, scoring fit and generating AI-powered outreach sequences automatically.
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to discover, qualify, deduplicate and generate outreach for B2B leads using Apify actors and an LLM. The SKILL.md shows concrete Apify actor calls and normalization/deduplication code that are coherent with that purpose. However, the registry metadata lists no required environment variables while the runtime instructions explicitly instruct the user to set APIFY_TOKEN — this mismatch is unexpected. The skill also references Claude AI but doesn't document how to authenticate to it.
Instruction Scope
The instructions tell the agent to run Apify actors across multiple public directories and to deep-crawl websites to extract emails — actions consistent with the stated purpose but high-impact (harvesting emails). The SKILL.md advises checking robots.txt and legal considerations, which is good, but it also directs large-scale scraping across multiple sources without discussing rate limiting, proxy/CAPTCHA handling, or limits on private/login-gated content. The file does not (in the visible portion) require or discuss any system files or unrelated env vars, but the absence of declared required envs (APIFY_TOKEN is referenced) is a scope/information mismatch.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code — the only install guidance is to run 'npm install apify-client axios', which is proportional to the shown JavaScript examples. There are no downloads from arbitrary URLs or extracted archives in the manifest.
Credentials
The SKILL.md tells users to export APIFY_TOKEN (Apify Personal API Token) but the skill metadata did not list any required environment variables; this inconsistency can mislead users about what credentials the skill needs. The skill references Claude AI but gives no guidance on which credential or env var to set for the LLM, leaving unclear where that secret would be used. Requesting an Apify token is reasonable for the task, but the missing declaration and the unspecified LLM credential are red flags.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. As an instruction-only skill it does not write installers or modify other skills. There is no indication it tries to persist credentials or alter agent-wide configuration.
What to consider before installing
Before installing or running this skill, note these points: (1) The SKILL.md tells you to set an APIFY_TOKEN but the registry metadata did not declare required env vars — treat the Apify token as a sensitive credential and only provide it if you trust the skill and author. (2) The skill also references 'Claude AI' but does not explain how to authenticate to the LLM — investigate where/if an LLM API key is required and do not paste secrets into unknown places. (3) Large-scale scraping and email extraction can violate sites' terms of service and privacy laws; consult legal/compliance and avoid scraping login-gated or personal profiles. (4) Because this is instruction-only (no bundled code), the risk of hidden binaries is lower, but the instructions will cause network activity that may exfiltrate data if you run them; prefer running in an isolated environment or with a throwaway Apify account and minimal billing limits. (5) Verify Apify actor IDs and links in the SKILL.md directly on apify.com, and prefer skills that explicitly declare required env vars and authentication flows. If you need higher assurance, ask the publisher for source code or a known homepage and confirm exactly how the skill uses any LLM or external services.Like a lobster shell, security has layers — review code before you run it.
latestvk973q0fy3qhaq1wfjxjx3nyrvn83rht3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.