Prospector
v1.0.0This skill should be used when the user wants to find leads, prospects, or contacts matching their ICP (Ideal Customer Profile). It searches for companies via Exa and enriches contacts via Apollo, outputting to CSV and optionally syncing to Attio CRM. MANDATORY TRIGGERS: "find leads", "prospecting", "ICP search", "find contacts", "lead generation", "/prospector"
⭐ 6· 2k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (lead discovery via Exa + Apollo, optional Attio sync) matches the runtime actions in SKILL.md and scripts/prospector.py. However, the registry metadata claims no required environment variables or primary credential, while the SKILL.md and prospector.py clearly require PROSPECTOR_EXA_API_KEY and PROSPECTOR_APOLLO_API_KEY (and optionally PROSPECTOR_ATTIO_API_KEY). That discrepancy (metadata omitting required creds) is an incoherence that should be resolved before trusting the skill.
Instruction Scope
Runtime instructions are narrowly focused on collecting ICP answers, calling Exa/Apollo/Attio APIs, exporting CSV to the Desktop, and optionally syncing to Attio. These actions are consistent with the stated purpose. Notable behaviors: the setup flow can write a JSON config to ~/.config/prospector/config.json and offers to append export lines to the user's shell profile (~/.zprofile, ~/.bashrc, etc.). Writing/modifying shell profiles and saving API keys to disk are legitimate for convenience but are higher-impact operations that deserve explicit user consent and inspection.
Install Mechanism
No install spec is provided (instruction-only with included Python script). README recommends installing a single dependency (httpx). There are no downloads from arbitrary URLs or archive extraction. Risk from the install mechanism is low, though the skill includes an executable Python script that will run network calls when invoked.
Credentials
The keys the skill requests (Exa, Apollo, optional Attio) are appropriate for its stated integrations. However, the skill metadata does not declare these required environment variables or primary credential, which is misleading. The skill also offers to persist keys in a local config file and to append them to shell profiles — storing secrets in shell profiles can increase exposure if the profile is synced or backed up. The number and type of credentials requested are proportionate to the task, but lack of explicit declaration in metadata is a red flag.
Persistence & Privilege
The skill does not request always:true and does not autonomously escalate platform privileges. It does persist configuration and keys to ~/.config/prospector/config.json (chmod 600) and can append exports to shell profile files. Those file-write behaviors are normal for CLI tools but constitute persistent changes to the user's environment and should be made explicit to the user before being performed.
What to consider before installing
What to consider before installing: 1) Metadata mismatch — the skill's registry metadata lists no required env vars, but the skill needs Exa and Apollo API keys (and optionally Attio). Confirm you understand and accept providing those keys. 2) Inspect the code yourself (scripts/prospector.py) before running: it makes HTTP calls to api.exa.ai, api.apollo.io, and api.attio.com and writes results to ~/Desktop and ~/.config/prospector/config.json. 3) Prefer environment variables over saving keys to disk; if you must save them, verify permissions (the script sets chmod 600). 4) Be cautious about allowing the setup flow to append exports to your shell profile — that modifies files that may be synced/backed up. 5) If you have concerns, run the skill in an isolated environment or VM, or remove the parts that write to your shell profile and config file. 6) If you proceed, ensure API keys have least privilege and can be rotated/revoked easily.Like a lobster shell, security has layers — review code before you run it.
latestvk97a3cy8e7sa5027qhamwrdqmh80jh36
License
MIT-0
Free to use, modify, and redistribute. No attribution required.