SMB Sales Boost — B2B Lead Database of SMBs for Cold Outreach & GTM
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a disclosed SMB lead-database API client, but it handles API credentials, PII exports, and real billing/subscription actions that users should explicitly approve.
Install only if you trust the SMB Sales Boost provider and intend to let the agent query/export leads through your account. Use previews and maxCredits to control spending, require explicit confirmation for purchases, plan changes, auto top-up, cancellation, exports, and scheduled emails, and store exported lead files securely.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less publisher context before trusting the skill with an API key, lead data, or billing operations.
The artifact set does not identify a public source repository or homepage for the skill package. This is a provenance note, not evidence of malicious behavior, especially because no install script is shown and the included helper code is readable.
Source: unknown Homepage: none
Verify that smbsalesboost.com and the registry publisher are the service you intend to use before providing credentials or payment information.
Anyone or any agent with the API key may be able to access or modify the associated SMB Sales Boost account within that key's permissions.
The skill requires a service API key and uses it to access the user's SMB Sales Boost account. This is expected for the integration and is disclosed.
The user must provide their API key. Keys have a `smbk_` prefix and are generated from the Dashboard > API tab. The key is passed as a Bearer token in the Authorization header of every request.
Use the minimum-privilege or revocable key available, avoid pasting real keys into shared chats, and rotate the key if it may have been exposed.
If misused or approved accidentally, the agent could initiate purchases or subscription-related changes that cost money.
The skill can invoke high-impact billing actions. The risk is disclosed and the instructions require user confirmation, so this is a notable capability rather than a suspicious mismatch.
Includes purchase endpoints that create real Stripe charges — always confirm with user.
Require explicit confirmation that includes the plan, amount, credit count, and expected charge before allowing any purchase, plan change, or auto top-up action.
Exported files may contain personal or business contact details that could be mishandled, overshared, or retained longer than intended.
Lead exports intentionally contain contact PII and are written to local output storage. This is purpose-aligned, but it creates handling and retention obligations.
Exported leads contain business contact information including phone numbers and email addresses (PII). Exported files are saved to the agent's output directory by default.
Use previews and credit limits when possible, save exports only to secure locations, delete unneeded files, and follow applicable privacy and outreach laws.
Scheduled emails or auto top-ups may continue after the current session and could keep distributing lead data or incurring charges if left enabled.
The skill can configure ongoing provider-side automation, such as scheduled lead emails and automatic credit top-ups. These are disclosed and appear user-directed.
Set up email schedules: "Email me new auto shop leads in Georgia every day" ... Auto top-up: "Set up auto top-up so I never run out of credits"
Review scheduled emails and auto top-up settings after setup, set caps where available, and disable them when no longer needed.