ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Prospect Research Repo

v0.1.0

Builds a comprehensive pre-meeting intelligence brief on any company or prospect. Surfaces business context, decision-maker background, industry signals, and...

0· 196·0 current·0 all-time
bySteve@stevemichael001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md align: the skill is an instruction-only prospect research briefing tool that expects to use web search, website fetches, news, job boards, and enrichment services. There are no declared binaries, env vars, or unrelated capabilities requested.
!
Instruction Scope
The SKILL.md tells the agent to use 'web search', 'web fetch', and 'Any available enrichment tools (Apollo, ZoomInfo, LinkedIn, etc.)'. That gives the agent broad freedom to query external services and use any credentials the agent/platform has access to. The instructions do not limit what data can be read or transmitted, nor do they explicitly forbid use of private credentials or personal data; this open scope increases the risk of unintended data access or exfiltration.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low risk from an installation perspective because nothing is written to disk by the skill itself.
!
Credentials
The skill declares no required environment variables or credentials, but explicitly names paid/enriched sources that typically require API keys or logins. Because it tells the agent to use 'any available enrichment tools', the skill may cause the agent to use platform-stored credentials (if present). The absence of declared credentials or a clear justification for them is a mismatch between capability and environment needs.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide changes. Autonomous invocation is allowed (default) but that is normal; there is no evidence the skill modifies other skills or agent configuration.
What to consider before installing
This skill appears to do what it says, but it leaves the agent a lot of latitude to use external enrichment services. Before installing or enabling it, decide whether you want the agent to be allowed to use any LinkedIn/Apollo/ZoomInfo credentials that exist in your environment. If you do not, restrict the agent's access to those credentials or disable autonomous invocation for this skill. Ask the skill author (or your admin) to: 1) explicitly list which external services it will call, 2) declare any credentials it needs, and 3) add a line limiting searches to public sources if you want to avoid using paid/enriched data. Always verify key claims and check cited sources before acting on the brief; watch for privacy issues when researching named individuals.

Like a lobster shell, security has layers — review code before you run it.

latestvk975smp667x63rc8h9m7nqe03n82wxag

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
OSLinux · macOS · Windows

Comments