ClawHub
Back to skill
v1.0.1

Semantic Prospect

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:21 AM.

Analysis

Semantic Prospect appears to be a coherent instruction-only SaaS integration for public lead discovery, with expected but important API-key, external-service, and account-retention considerations.

GuidanceInstall if you are comfortable using Simply Semantics as an external lead-generation provider. Configure the API key carefully, avoid sending sensitive private data as search criteria, review retention/export settings, and clarify optional third-party API-key storage before adding paid provider keys.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityInfoConfidenceMediumStatusNote
SKILL.md
The platform never reads, collects, or stores your third-party API keys on the server side. If you add your own Brave or LLM key in the dashboard, it is stored encrypted...

The wording around optional third-party API key handling is somewhat ambiguous because it says keys are not stored server-side while also saying they are stored encrypted in the account configuration.

User impactUsers might misunderstand how optional Brave or LLM provider keys are stored and used if they add them in the dashboard.
RecommendationClarify the provider-key storage model with the vendor before adding optional third-party API keys, especially paid or high-quota keys.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
`SIMPLY_SEMANTICS_API_KEY` is **always required**... it is scoped to your Semantic Prospect account only

The skill requires a per-account credential so the agent can authenticate to the SaaS and consume account quota; this is expected for the stated purpose and is disclosed as scoped.

User impactConfigured agents can make Semantic Prospect requests against your account and quota.
RecommendationUse a dedicated key if available, store it only in the intended environment variable, rotate it if exposed, and verify the registry/configuration surfaces the required credential clearly.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
clawhub.json
"apiEndpoint": "https://dashboard.simplysemantics.com/sp/mcp/forum-leads-api"

The skill is an external MCP-compatible/provider API integration, so targeting criteria such as niche and keywords are sent to the vendor endpoint.

User impactYour prospecting criteria and resulting lead records are processed through the Simply Semantics service rather than staying entirely local.
RecommendationAvoid sending confidential targeting strategies or sensitive customer information as criteria unless you are comfortable with the provider's data handling.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
clawhub.json
"dataRetention": "Leads are stored in your account for your review and export. Data is isolated per account."

The service persists generated lead records in the user's account, which is purpose-aligned but creates retained context/data that users may later export or reuse.

User impactLead history, including public prospect context, may remain available in the account after the initial query.
RecommendationReview retention, deletion, and export controls in the dashboard, and avoid collecting data that violates source community terms or your compliance obligations.