Okki Go
v1.0.5B2B lead prospecting & outreach — search companies, find contact emails, send cold emails (EDM), check status & credits; Search global companies, get contact...
⭐ 1· 98·0 current·0 all-time
by@okki-op
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (lead prospecting + outreach) align with required bits: primaryEnv OKKIGO_API_KEY and binaries curl/jq are appropriate for calling the okki.ai REST API. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to call okki.ai endpoints (search, profile, send emails) and includes an email-verification flow that exchanges a 6-digit code for an API key via curl — all expected. It explicitly requires asking user consent before persisting the API key to OpenClaw config. The instructions and included scripts also reference OpenClaw/Clawhub CLI commands and may read the local OpenClaw workspace file (e.g., ~/.openclaw/workspace/skills/okki-go/SKILL.md) when enabling notifications; this is scope-relevant but worth noticing because it reads local skill metadata and manipulates OpenClaw cron/jobs.
Install Mechanism
There is no automated install spec (instruction-only), which is lower risk. The package bundles three shell scripts (post-install, enable-notifications, check-update) that the user is encouraged to run. The Quick Install suggests an npx clawhub command (which would fetch code from npm when run) and the scripts call openclaw/clawhub commands — user action is required to execute these. There are no suspicious remote download URLs or extracted archives in the skill bundle.
Credentials
Only the OKKIGO_API_KEY is declared as the primary credential, which is appropriate and proportional for an API-driven prospecting/outreach skill. The skill explains saving the API key into OpenClaw config so future sessions receive OKKIGO_API_KEY; this is expected but creates persistent long-lived access to the Okki account via that key (user-visible and revocable).
Persistence & Privilege
always:false and agent-autonomy defaults are preserved. The included scripts can create a scheduled OpenClaw cron job to post notifications (openclaw cron add) and may update the skill via openclaw skills update — these actions are user-initiated and the scripts prompt for consent. Still, enabling notifications gives the skill a persistent scheduled presence within the OpenClaw environment, so users should opt-in consciously.
Assessment
This skill appears to do what it says: it calls go.okki.ai APIs and needs your Okki API key. Before installing or running any included scripts: 1) Only provide an API key you created on https://go.okki.ai and understand that saving it with openclaw config makes it a persistent credential available to the skill in future sessions (rotate/revoke keys if needed). 2) Inspect the bundled scripts (post-install/enable-notifications/check-update) before running — they can add OpenClaw cron jobs and call openclaw/clawhub commands; enable notifications only if you want scheduled checks. 3) Avoid running arbitrary npx/npm commands unless you trust the source; prefer installing via the OpenClaw UI if available. 4) If you have concerns, do not run post-install or enable-notifications; you can still use the skill manually by providing the API key per-session. Finally, treat this as a third-party integration: limit key scope if possible and be ready to revoke the key if unexpected behavior occurs.Like a lobster shell, security has layers — review code before you run it.
latestvk9775hsjbnarqx2bykntzt20rx84frtb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌐 Clawdis
Binscurl, jq
Primary envOKKIGO_API_KEY