Email Finder
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it performs external web, DNS, search, and SMTP checks, so it should be used only for small, intentional lookups.
Before installing, confirm you are comfortable with a tool that contacts target websites, search/directory services, DNS, and mail servers. Use it for targeted lookups only, avoid bulk prospecting from sensitive networks, consider --no-verify when SMTP checks are unnecessary, and install the Python dependency carefully.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Target mail servers can see the checks, and repeated or bulk use could cause blocking or IP reputation issues.
The script verifies guessed or found addresses by making SMTP RCPT TO probes against the target domain's mail server. This matches the stated purpose and is rate-limited, but it is still active external probing.
smtp.connect(mx_host, 25) ... smtp.mail(f'verify@{helo_domain}') ... code, msg = smtp.rcpt(email)Use it only for targeted, legitimate lookups; keep the default caps/delays or make them more conservative; use --no-verify when SMTP recipient checks are not necessary.
On an untrusted network, results could include spoofed or manipulated email addresses.
HTTPS page fetches disable certificate verification, which can let a network attacker or intercepting proxy alter scraped page content.
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONEPrefer normal TLS certificate verification unless there is a clearly documented reason to disable it.
Users will install whatever current dnspython package their Python environment resolves, which carries ordinary package supply-chain risk.
The setup instruction installs an unpinned external package, and the registry says there is no install spec to lock or verify that dependency.
pip3 install dnspython
Install dependencies from a trusted environment and consider pinning a known-good dnspython version.
A user might underestimate that even non-SMTP mode can contact external services and reveal the domain being investigated.
The 'zero risk' wording overstates the safety of --no-verify mode because the tool can still perform website scraping, search/directory requests, and DNS lookups.
# Just scrape, no SMTP (zero risk) python3 scripts/find_emails.py example.com --no-verify
Treat --no-verify as lower-risk, not risk-free, and review what external requests are acceptable before running it.