Zapper

This skill's code appears to implement exactly what it claims (calls Zapper's public GraphQL endpoint), but there are transparency and metadata issues you should address before installing: - The skill requires a Zapper API key stored at ~/.clawdbot/skills/zapper/config.json, but the registry metadata does not declare this credential. Treat the API key like a secret: only install if you trust the skill's source. - Inspect the bundled script yourself (scripts/zapper.sh). It sends POST requests only to https://public.zapper.xyz and formats results locally — no other external endpoints are contacted. - Because disable-model-invocation is not set, the model may be able to call this skill autonomously. If you do not want that, set disable-model-invocation:true or only invoke the skill manually. - Set the config file permissions to be readable only by your user (chmod 600 ~/.clawdbot/skills/zapper/config.json) so the key is not exposed to other users on the system. - The declared required binaries include jq but the script uses python3 for JSON parsing; this is likely harmless but indicates the metadata may be out of sync. Consider running the script locally to confirm behavior before giving it any real API keys. - If you need stronger assurance, ask the publisher for a verifiable source (repo or homepage) or a maintainer signature; the registry lists an owner id and no homepage. If you can't verify the origin, avoid storing sensitive keys for long periods or prefer using a dedicated, scoped API key with minimal privileges.