Is dru-ca/abm-outbound safe?

The skill instructs the agent to scrape LinkedIn profiles at scale using the Apify harvestapi~linkedin-profile-scraper actor. LinkedIn's User Agreement (Section 8.2) explicitly prohibits crawling, scraping, or automated data collection. Users who execute this workflow risk LinkedIn account termination, cease-and-desist letters, and potential Computer Fraud and Abuse Act (CFAA) liability. The ninth circuit hiQ ruling addressed public data access but does not immunize commercial-scale scraping for outbound sales use cases.

The skill uses Apify's one-api~skip-trace actor to resolve individuals' residential home addresses from public records, then transmits those addresses to Scribeless to generate physical handwritten letters. In most GDPR jurisdictions, processing home addresses for unsolicited commercial outreach requires a lawful basis (Art. 6) that cold-outreach sales campaigns typically cannot establish. In the U.S., depending on the prospect's state, this may conflict with CCPA or other privacy frameworks. The enrichment.md reference file explicitly notes: 'Returns HOME addresses from public records.'

The Apollo bulk_match call explicitly sets reveal_personal_emails: true and reveal_phone_number: true, targeting personal (non-work) email addresses such as Gmail and iCloud accounts. This goes beyond contacting professionals at their work address and reaches individuals' personal accounts and mobile numbers — a materially higher privacy intrusion that users may not anticipate.

The coordinated 14-day sequence of cold emails, LinkedIn messages, and physical letters to prospects who have not opted in raises compliance exposure under CAN-SPAM (requires opt-out mechanism and honest subject lines), GDPR (requires opt-in consent or legitimate interest assessment for EU subjects), and CASL (requires express consent for Canadian recipients). The skill provides no guidance on regulatory compliance, suppression lists, or jurisdictional restrictions.

The pipeline routes prospect PII through at least four distinct external platforms: Apify (scraping + Skip Trace), Apollo (enrichment + email sequences), Scribeless (physical mail), and optionally Instantly.ai. Each vendor receives different subsets of the aggregated data under their own data processing terms. Users may not realize that a single prospect's home address is transmitted to Scribeless, their work email to Apollo sequences, and their LinkedIn profile to Apify — all from a single agent session.

The skill requires APIFY_API_KEY, APOLLO_API_KEY, SCRIBELESS_API_KEY (and optionally INSTANTLY_API_KEY) to be exported as shell environment variables. These are accessible to the agent throughout the session and transmitted in Authorization headers on every API call. If a co-loaded skill or prompt injection causes the agent to inspect or print environment variables, these keys could be leaked.

Filesystem monitoring recorded read-only opens of all six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud credentials) at Unix timestamp 1771923942, five seconds before the git clone executed at 1771923947. Concurrent EXECVE records show ss -tunap running at 1771923942.264, consistent with Oathe monitoring setup rather than the skill. All accesses were CLOSE_NOWRITE (read-only) and the Oathe canary integrity check confirmed all files intact.

The skill is pure documentation. No package.json, npm lifecycle scripts, .gitattributes filter configurations, git submodules, symlinks, or executable binaries were found. Install process performed only git sparse-checkout and cp operations. The bash and Python snippets in SKILL.md are workflow pseudocode and are not run during installation.

Full review of SKILL.md detected no prompt injection patterns: no instructions to ignore prior context, no persona switches, no output suppression directives, no base64-encoded payloads, no zero-width unicode, and no HTML comment trickery. The document is a straightforward B2B outbound sales automation guide.