Skillv1.9.0

ClawScan security

SMB Sales Boost — B2B Lead Database of SMBs for Cold Outreach & GTM · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 2:36 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and code are internally consistent with a B2B lead database client, but it handles PII and programmatic purchases so you should confirm billing actions and protect the API key and exported files.
Guidance: This skill appears to do what it claims: it needs your SMB_SALES_BOOST_API_KEY to call the API and will save exported lead files (which contain PII) to disk. Before installing or using it: 1) Only provide a key you trust to this skill and avoid embedding a long-lived key in shared environments; 2) Override the default output directory (--output-dir) to a secure location you control and clean exports when done; 3) Always confirm with the agent before performing purchases or exports that consume credits (the API can create real Stripe checkout sessions and charges); 4) Be mindful of rate limits and credit usage (new leads and exports may incur costs); 5) Note the skill source is listed as unknown and there is no homepage—if provenance matters, obtain the skill from a known/published provider or inspect the code yourself before use.

Review Dimensions

Purpose & Capability: okName/description match the declared requirements and included code. The only required credential is SMB_SALES_BOOST_API_KEY which is appropriate for an API client that queries and exports leads. No unrelated env vars or binaries are requested.
Instruction Scope: noteSKILL.md instructs the agent to request and reuse the API key, call the documented API endpoints, and save exports to an output directory. It explicitly warns that exports contain PII and that programmatic purchase endpoints create real Stripe charges and must be confirmed with the user. This is within scope but requires care: the skill will download and write exported lead files (containing phone numbers/emails) to disk by default, and it exposes endpoints that can initiate paid purchases — the agent MUST confirm with the user before using purchase endpoints or exporting large numbers of new leads.
Install Mechanism: okNo install spec is present (instruction-only skill with bundled code). There are no downloads from arbitrary URLs or install steps that write/execute additional code. The included smb_api.py is a straightforward API client.
Credentials: okOnly SMB_SALES_BOOST_API_KEY is required and declared as the primary credential. That is proportional to the stated functionality. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It writes exported files to an output directory (default /mnt/user-data/outputs), which is expected behavior for an exporter but is something the user should control to avoid leaving PII in public/unprotected locations.