Instantly Campaign Launcher
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it can directly create or reuse Instantly campaigns and bulk-import leads without built-in confirmation, dry-run, or rollback controls.
Review the campaign config and leads file carefully before running. Prefer a test campaign or dry run first, keep the Instantly token in an environment variable or secret manager, only use trusted JavaScript config files, and confirm that the lead list is authorized for outreach.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation, wrong campaign name, or wrong leads file could add contacts or sequences to an Instantly campaign and potentially affect outbound email activity, sender reputation, and account data.
The script directly mutates the Instantly account by creating or reusing a campaign, adding email sequences, and importing every lead from the provided file. The artifacts do not show a confirmation gate, dry-run, maximum import size, rollback, or other containment before these high-impact actions.
const createRes = await instantly('POST', '/campaigns', ...); ... const seqRes = await instantly('POST', `/campaigns/${campaignId}/sequences`, ...); ... const res = await instantly('POST', '/leads', { campaign_id: campaignId, email: lead.email, ... });Add an explicit preview and confirmation step, a dry-run mode, lead-count limits, clear handling for existing campaigns, and a rollback or cleanup procedure before importing leads.
Anyone with access to the token can act on the Instantly account within that token's permissions; storing it in a config file can increase accidental exposure risk.
The script uses an Instantly bearer token to perform account actions. This is expected for the integration, but the registry metadata declares no primary credential or required environment variable, and the code also permits storing the token in the JavaScript config.
const INSTANTLY_KEY = process.env.INSTANTLY_KEY || config.instantlyKey; ... Authorization: `Bearer ${INSTANTLY_KEY}`Use an environment variable or secret manager rather than committing the token to config, use the least-privileged token available, and declare the credential requirement in metadata.
Using an untrusted or AI-generated config file could run arbitrary local JavaScript under the user's account.
The campaign configuration is loaded with Node's require(), so any JavaScript in the chosen config file executes, not just static configuration data.
const configPath = args[args.indexOf('--config') + 1] || path.join(__dirname, 'campaign.config.js');
const config = require(path.resolve(configPath));Only run trusted config files, consider switching to JSON or another non-executable config format, and warn users that .js config files are executable.
Lead email addresses, names, company names, and websites are sent to Instantly; misuse or the wrong file could expose contact data or create compliance issues.
The script reads a local leads file and uploads contact fields to the stated Instantly API. This is central to the skill, but it is a sensitive provider data flow.
const leadsRaw = JSON.parse(fs.readFileSync(leadsPath, 'utf8')); ... await instantly('POST', '/leads', { campaign_id: campaignId, email: lead.email, first_name: lead.firstName || lead.first_name || 'there', ... });Use only authorized lead lists, minimize fields to what is needed, confirm the destination account, and review privacy/compliance obligations before import.