Contact Finder
PassAudited by ClawScan on May 10, 2026.
Overview
The supplied artifacts match a contact-finding tool, with expected third-party API and API-key use, and no evidence of hidden persistence, destructive actions, or malicious behavior.
This skill appears safe to install if you understand that it calls external APIs and may generate unverified contact guesses. Use environment variables for API keys, install dependencies carefully, verify results manually, and consider privacy/compliance obligations before using found emails for outreach.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your API keys may be billed or exposed if pasted into source files, shared logs, or repositories.
The skill needs third-party provider API credentials. This is expected for SerpAPI/OpenAI, but users should avoid hardcoding secrets by editing the script, and the registry metadata does not declare these credentials.
Set credentials in environment or edit `scripts/find_contacts.py`: - `SERPAPI_KEY` - `OPENAI_API_KEY`
Use environment variables or a secrets manager, avoid committing edited scripts with keys, and consider updating metadata to declare required credentials.
Contact-search inputs and retrieved snippets may be processed by SerpAPI, Brave Search if configured, and OpenAI.
The tool sends search queries and prompt content to external providers. This matches the stated purpose, but names, companies, domains, and search snippets can leave the local environment.
url = "https://serpapi.com/search" ... params = {"q": query, "api_key": SERPAPI_KEY, ...}; ... response = client.chat.completions.create(model="gpt-4o-mini", messages=[{"role": "user", "content": prompt}], ...)Use the tool only with data you are comfortable sending to those providers, and check provider privacy and retention settings.
The contact list or confidence ratings may be inaccurate or manipulated by web content.
Untrusted search snippets are embedded directly in the LLM prompt. A malicious or misleading search result could influence the extracted JSON, although the shown code only returns/prints results and does not execute model output.
combined = "\n\n".join(snippets[:15]) ... prompt = f"""Extract professional contact information... Only return valid JSON array... SNIPPETS:\n{combined}"""Treat results as suggestions, verify emails and LinkedIn profiles independently, and do not rely on the LLM output as proof of validity.
Installing latest packages can produce different behavior over time or pull compromised dependencies if the package source is not trusted.
The setup asks users to install unpinned Python packages without an install spec or lockfile. This is normal for a simple Python script but means dependency provenance and versions are user-managed.
pip3 install openai requests
Install in a virtual environment, use official package sources, and pin dependency versions if using this in a sensitive workflow.