ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Expert Finder

v1.4.0

Find domain experts, thought leaders, and subject-matter authorities on any topic. Searches Twitter and Reddit for people who demonstrate deep knowledge, frequent discussion, and above-average expertise in a specific field. Expert discovery, talent sourcing, researcher identification, and KOL (Key Opinion Leader) mapping.

2· 1.2k·0 current·0 all-time
by@atyachin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to find domain experts using Twitter/Reddit and the SKILL.md instructs the agent to call the Xpoz service via the mcporter CLI and to use web_search/web_fetch for query expansion. Requiring mcporter, the xpoz-setup helper, and network access to mcp.xpoz.ai is proportional to that purpose. Minor inconsistency: top-level registry metadata lists no explicit 'requires.skills' entry but SKILL.md metadata does require an 'xpoz-setup' skill and an Xpoz account (OAuth), which is plausible but should be noted.
Instruction Scope
Instructions are specific: expand queries, call mcporter to fetch posts and profiles, poll operation status, download CSVs, classify and produce a report. They do not instruct reading unrelated system files or environment variables, nor do they direct data to unexpected endpoints beyond Xpoz and web search tools. The skill will collect and process social media content (expected for the purpose).
Install Mechanism
The install spec is an npm package (mcporter) which is a traceable but moderate-risk mechanism (supply-chain risk). The package is not version-pinned in the spec, which increases risk. This is not an arbitrary URL download or archive extract, but you should verify the npm package identity, maintainer, and published version before installing.
Credentials
No environment variables are declared; authentication is delegated to the 'xpoz-setup' skill via OAuth 2.1, which is appropriate for a third-party service. The skill does require network access to mcp.xpoz.ai and will cause social-media data to be fetched and processed by Xpoz, which is consistent with the function but relevant to privacy and data-sharing considerations.
Persistence & Privilege
always:false and default autonomous invocation are normal. The skill depends on another setup skill to obtain credentials; that flow may persist tokens as part of normal OAuth behavior. Because the skill can run autonomously and call external services, consider the usual caution about granting network and install permissions, but there is no indication it requests elevated system privileges or modifies other skills.
Scan Findings in Context
[no-code-files-to-scan] expected: The scanner found no code files (instruction-only SKILL.md). This is expected; the security surface is primarily in the SKILL.md instructions and the npm install of mcporter rather than local code.
Assessment
This skill appears to be what it says: it uses an Xpoz client (mcporter) plus web search to discover experts. Before installing: 1) Verify the mcporter npm package (author, popularity, recent changes) and consider pinning a version; avoid installing unknown packages without review. 2) Inspect or run the xpoz-setup OAuth flow in a controlled way to see what permissions/tokens are granted and where tokens are stored. 3) Be aware that the skill will send queries and retrieved social media content to Xpoz (mcp.xpoz.ai), so review Xpoz's privacy policy if you care about sharing collected data. 4) If you want tighter control, restrict autonomous invocation or require explicit user approval before the skill runs network calls or installs packages. If you can provide the xpoz-setup code or the mcporter package URL/version, I can reassess with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk971s73edwynp1tsdn3s31vaq1811gwv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmcporter

Install

Install mcporter (npm)
Bins: mcporter
npm i -g mcporter

Comments