The SignalHire skill integrates the full SignalHire API into OpenClaw, enabling you to search for prospects and enrich their contact details without leaving your workflow. It exposes three core actions: a credits check, a search-by-query for prospecting, and an asynchronous contact enrichment call
ReviewAudited by ClawScan on May 10, 2026.
Overview
The SignalHire skill is purpose-aligned, but its publicly exposed callback service accepts unauthenticated data and stores it in CSV files the agent may later trust.
Install only if you are comfortable running a public callback service. Before use, put the connector behind an authenticated or secret callback URL, restrict the output directory, validate CSVs before importing them into a CRM, pin Flask dependencies, and monitor SignalHire API-key and credit usage.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach the callback URL could inject fake prospect records, pollute output files, or create unwanted disk usage.
The connector is intended to be publicly reachable and its callback handler accepts POSTed JSON and writes rows to disk; the provided handler shows no API key check, signature validation, shared secret, source allowlist, or request-size gate before trusting the payload.
You should expose the callback endpoint publicly via a reverse proxy or Cloudflare Tunnel ... @app.route("/signalhire/callback", methods=["POST"]) ... payload = request.get_json(force=True, silent=True) ... if rows: _write_rows(request_id, rows)Protect the callback with a secret token or provider signature validation, restrict access at the proxy/tunnel, enforce payload size limits, and validate request IDs before writing files.
Bad or untrusted contact data could be imported into a CRM or other business workflow if the CSV is trusted automatically.
The documented workflow treats the generated CSV as input to downstream systems, so spoofed or polluted callback data can propagate beyond the connector.
The connector writes results into CSV files on the local filesystem so you can import them into your CRM or analysis pipeline. ... Once ready, the agent reads the CSV from disk and uses it to populate leads in your downstream system.
Review and validate generated CSVs before downstream import, sanitize fields, and only mark jobs complete when callbacks are authenticated and match the submitted request.
The skill can leave a durable local store of personal contact information that other tools or users may access later.
The connector intentionally persists enriched contact information, including emails and phone numbers, into local CSV files.
A consolidated `results_all.csv` is also maintained in the same directory. ... `emails` ... `phones` ... `location` ... `linkedin_url`
Use a restricted output directory, set clear retention/deletion practices, and avoid storing more enriched contact data than needed.
If misused, the API key could consume credits or retrieve contact data under the user's SignalHire account.
The skill requires a SignalHire API key and callback URL, which are expected for this integration but grant access to the user's SignalHire account and enrichment credits.
requires:\n env: SIGNALHIRE_API_KEY,SIGNALHIRE_CALLBACK_URL\n primaryEnv: SIGNALHIRE_API_KEY
Use the least-privileged key SignalHire supports, keep it out of logs and prompts, monitor credit usage, and rotate it if exposure is suspected.
A future or unexpected Flask dependency version could change behavior or introduce compatibility/security issues.
The dependency is expected for a Flask callback service, but the install instruction is unpinned and there is no lockfile or install spec in the provided artifacts.
The connector depends on `flask` only. Install it with\n `pip install flask`.
Install in a virtual environment and pin reviewed dependency versions, for example with a requirements file or lockfile.