Apify Lead Generation
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent Apify lead-generation integration, but it uses your Apify token to run external scraping actors and can save or display public contact data.
Install this only if you intend to use Apify for scraping-based lead generation. Before running, verify the selected Actor, inputs, output size, expected costs, and platform/legal compliance; use a least-privilege APIFY_TOKEN if possible and monitor or stop long-running Apify jobs from your Apify account.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A requested lead-generation task can start external scraping runs that may cost credits or collect more data than intended if the actor/input is broad.
The script starts Apify Actor jobs using the selected actor and JSON input. This is central to the skill, but it can launch scraping jobs and consume Apify account resources.
const url = `https://api.apify.com/v2/acts/${apiActorId}/runs`; ... method: 'POST' ... body: JSON.stringify(parsedInput)Confirm the Actor ID, input parameters, expected result count, and cost before running large or unfamiliar scraping jobs.
Anyone or any agent run with access to this skill and token can run permitted Apify actions under your account.
The script uses a bearer token to authenticate Apify API calls. This is expected for Apify integration, but it means the skill acts with the permissions of the configured APIFY_TOKEN.
'Authorization': `Bearer ${token}`Use a least-privilege Apify token if available, keep it in OpenClaw settings rather than chat, and monitor Apify account usage.
The installed package becomes part of the execution path for the skill.
The skill installs and depends on an external npm package for the mcpc binary. This is disclosed and purpose-aligned, but the install spec does not show a pinned package version.
node | package: @apify/mcpc | creates binaries: mcpc
Install from a trusted registry/source and consider pinning or auditing the @apify/mcpc version in controlled environments.
Your APIFY_TOKEN is used outside the local environment to communicate with Apify services.
The workflow sends the Apify token to an external Apify MCP endpoint to fetch Actor details. This is expected, but it is a token-bearing provider/MCP flow.
mcpc --json mcp.apify.com --header "Authorization: Bearer $APIFY_TOKEN" tools-call fetch-actor-details
Use only the official Apify endpoint, avoid exposing the token in transcripts or logs, and rotate the token if you suspect disclosure.
Using scraped contact data may create privacy, platform terms, or compliance obligations even if the data is public.
The skill also lists actors for extracting emails, phones, and profiles. The privacy statement is qualified, but users should not treat publicly available contact data as automatically unrestricted for sales outreach.
Apify Actors only scrape publicly available data and do not collect private or personally identifiable information beyond what is openly accessible on the target platforms.
Review applicable laws, platform terms, and consent requirements before using collected leads for outreach.
A long-running Actor may continue consuming Apify resources after the local command stops waiting.
If local polling times out, the Apify cloud Actor run is not automatically aborted. The code warns about this rather than hiding it.
console.error(`Warning: Timeout after ${timeout}s, actor still running`); return 'TIMED-OUT';Check the Apify console for timed-out or long-running jobs and stop them manually if they are no longer wanted.