ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Instantly Campaign Launcher

v1.0.0

Create and launch an Instantly.ai cold email campaign with D0/D3/D8 sequences and bulk-import leads via API, no dashboard needed.

0· 193·1 current·1 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: the code and SKILL.md call api.instantly.ai to create campaigns, add sequences, and import leads. However the registry metadata lists no required env vars or primary credential while both SKILL.md and the code require an INSTANTLY_KEY (or config.instantlyKey). This metadata omission is an incoherence.
Instruction Scope
Runtime instructions are scoped to Instantly API usage and local files: edit scripts/campaign.config.js, provide leads.json, and set INSTANTLY_KEY. The code only reads those files and the INSTANTLY_KEY and makes HTTPS calls to api.instantly.ai; it does not attempt to read unrelated system files or contact other endpoints.
Install Mechanism
No install spec (instruction-only installation) and no downloads. The package includes two JS scripts bundled in the skill, which is consistent with a run-from-source usage model. No external installers or remote code downloads are used.
!
Credentials
The skill requires a single API bearer token (INSTANTLY_KEY) which is proportionate to its purpose. The concern is that the registry metadata did not declare this required environment variable or a primary credential, creating a mismatch in the manifest that could mislead users or automated reviewers.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not persist credentials itself. It only reads local config and leads files and posts to the Instantly API, which is appropriate for its stated function.
What to consider before installing
This skill's code and instructions match the stated purpose, but the registry metadata failing to declare the required INSTANTLY_KEY is a red flag (likely an oversight, but confirm before trusting). Before installing/running: 1) Verify INSTANTLY_KEY is an Instantly API key from app.instantly.ai and keep it secret (do not paste into public repos). 2) Inspect the included scripts (they are provided) and test with a non-production Instantly account and dummy leads to confirm behavior. 3) Ensure you have the right to email the leads and that your campaign complies with anti-spam laws and your organization’s policies. 4) If you plan automation, consider rotating the API key after testing and store it in a secure secret manager rather than plain env vars. If you need absolute assurance, ask the publisher to update the registry metadata to declare INSTANTLY_KEY as a required credential (primaryEnv) before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cbwzmcwkn34934qwnv54x582mz0d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments