ClawHub

Specter CLI – AI powered startup and deal sourcing

v1.0.0

Enrich, search, and manage company and professional data, lists, saved searches, and signals using the Specter intelligence platform via CLI.

0· 1.2k·0 current·0 all-time
by@froemic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md describes a CLI that calls the Specter API (company/person enrichment, lists, saved searches). The commands and the need for an API key are coherent with that purpose.
!
Instruction Scope
The instructions instruct installing and linking a third‑party npm CLI and advise storing SPECTER_API_KEY in files like ~/.claude/.env or shell rc files. The skill also documents commands that accept --file <path> (reading user files). The SKILL.md requires SPECTER_API_KEY in practice, but the registry metadata did not declare any required env vars — this mismatch reduces trust and may lead to accidental exposure of the key if users follow the suggestion to store it in shared or agent-visible files.
Install Mechanism
This is an instruction-only skill (no install spec in registry). SKILL.md tells users to git clone git@github.com:FroeMic/tryspecter-cli.git and run npm install/build/link. That workflow will execute third‑party code on the user's machine (including any npm lifecycle scripts). The repo is a non-obvious third party (FroeMic) rather than an official specter release; cloning via SSH requires an SSH key and may be unexpected. This is not inherently malicious but requires verification of the repo and package contents before running npm install.
!
Credentials
The CLI legitimately needs an API key (SPECTER_API_KEY) for auth, and SKILL.md explains this. However, the registry's declared requirements list zero env vars/credentials — the missing declaration is an inconsistency. The only sensitive item referenced is SPECTER_API_KEY; no unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It does recommend adding the API key to ~/.claude/.env or shell rc files, which affects persistence of the credential but is a user-level choice rather than an automatic modification by the skill.
What to consider before installing
What to check before installing/use: - The SKILL.md expects SPECTER_API_KEY but the registry metadata doesn't list any required env vars — treat that as a packaging oversight and assume you must provide an API key. - Verify the repository (git@github.com:FroeMic/tryspecter-cli.git). Prefer official repos or releases; inspect the package.json and any postinstall/build scripts before running npm install to avoid executing malicious code. - Consider cloning via HTTPS if you don't want to use an SSH key, or audit the code in a sandboxed environment (container/VM) before installing globally (npm link). - Don't store the API key in files readable by other users or untrusted agents; prefer a credential store or a key with least privilege and short lifetime if possible. Be cautious about adding it to an agent-visible file (e.g., ~/.claude/.env) if that agent has access to other data. - The CLI can read files via --file <path>; avoid passing sensitive files unless you understand where results are sent and who has access to them. - If you rely on this skill for handling personal or candidate data, confirm compliance with your data-privacy policies and Specter terms. If you want a safer install path, ask the skill author for an official release tarball or a published npm package and for explicit documentation of required env vars in the registry metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk973a17w5d5qdxvka5w3kr5pah80neeg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments