Prospector
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the skill can use the Attio credential to create or update CRM records in the user's workspace.
The optional Attio integration requests a delegated account credential with write authority. This is purpose-aligned for CRM sync, but it is high-impact access.
Create a new API key with read/write access
Use the least-privileged, revocable API key available, confirm the workspace before syncing, and revoke the key if the skill is no longer used.
Approving sync can add or update business records and contacts in Attio.
The code performs CRM write operations during Attio sync. The artifacts disclose this and ask the user before syncing, but CRM mutation is still a sensitive action.
client.put("https://api.attio.com/v2/objects/companies/records"Review the generated CSV before syncing, start with a small contact count, and keep a way to undo or clean up imported CRM records.
Prospect criteria and contact data may be processed by Exa, Apollo, and Attio according to those services' policies.
The skill sends search criteria, company domains, and optionally lead/contact records to external providers. This is expected for the stated purpose and is documented.
https://api.exa.ai/search ... https://api.apollo.io/api/v1/mixed_people/search ... https://api.attio.com/v2
Ensure the data use is appropriate for your organization and complies with applicable privacy, outreach, and CRM policies.
Installing from the wrong repository or pulling an unexpected dependency version could change what runs locally.
The README shows placeholder provenance and an unpinned dependency install. This is common for simple Python skills, but users should verify the source and dependency.
git clone https://github.com/YOUR_USERNAME/prospector.git ~/.claude/skills/prospector ... pip install httpx
Install only from a trusted source and consider pinning httpx in a controlled Python environment.
Malformed pasted values could break the setup command, and unsafe interpolation patterns are more fragile than passing values through environment variables or files.
Setup validation is performed through local Python one-liners with substituted user-provided values. Local execution is central to this skill, but careful quoting is important.
python3 -c "\nimport httpx\nkey = '[USER_PROVIDED_KEY]'
Only paste API keys obtained directly from the provider, and prefer implementations that pass secrets via environment variables or structured input rather than inline code substitution.