ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Extruct List Building Skill

v1.0.0

Build targeted company lists for outbound campaigns using Extruct. Use when the user wants to: (1) find companies matching an ICP, (2) build a prospect or ou...

0· 45·0 current·0 all-time
by@zkid18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's described purpose (build company lists via Extruct) matches the instructions: all API calls are delegated to an extruct-api skill and the SKILL focuses on query design and workflows. HOWEVER the skill does not declare any dependency on the extruct-api skill in its metadata or requirements even though it repeatedly instructs the agent to call that skill and to read its SKILL.md. The implicit dependency should be declared so users can verify the other skill.
Instruction Scope
The SKILL.md explicitly instructs the agent to read local context files at claude-code-gtm/context/{company}_context.md and claude-code-gtm/context/{vertical-slug}/hypothesis_set.md. Reading workspace context files is reasonable for building lists, but the skill does not declare these config paths in its manifest. Confirm that the agent's workspace contains only intended files and that the agent is allowed to access them. There are no instructions to access unrelated system paths, credentials, or external endpoints beyond delegating to extruct-api.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes installation risk.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to an orchestration/decision skill that delegates actual API access to another skill. However, because it delegates all Extruct API calls, any credential needs will be handled by the extruct-api skill—review that skill before trusting end-to-end behavior.
Persistence & Privilege
The skill does not request always:true nor request persistent system changes. It is user-invocable and uses normal agent invocation.
What to consider before installing
This skill is mostly a query-design and orchestration guide that delegates all API calls to an extruct-api skill. Before installing or enabling it: (1) Verify you have the extruct-api skill available and that its SKILL.md and metadata are from a trusted source—this skill implicitly depends on it but does not declare that dependency. (2) Review the extruct-api skill for required credentials and network endpoints, because those credentials will be used to run searches/enrichments. (3) Confirm the workspace paths referenced (claude-code-gtm/context/...) only contain data you want the agent to read; the skill instructs the agent to read those files but does not list them as required config paths. (4) If you cannot inspect the extruct-api skill or confirm provenance, do not enable autonomous agent invocation for this skill; require explicit user approval for any actions that run queries or upload tables. If the extruct-api dependency and provenance are provided and valid, this skill would be coherent and lower risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aft111x7k9e4jxdzp0xxe35848418

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments