ClawHub

The SignalHire skill integrates the full SignalHire API into OpenClaw, enabling you to search for prospects and enrich their contact details without leaving your workflow. It exposes three core actions: a credits check, a search-by-query for prospecting, and an asynchronous contact enrichment call

v1.0.0

Prospect and enrich contacts via the SignalHire API (Search, Person and Credits)

1· 2.1k·0 current·0 all-time
by@ms-youssef
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description align with the SignalHire API (credits, search, person/enrichment). The SKILL.md explicitly requires SIGNALHIRE_API_KEY and SIGNALHIRE_CALLBACK_URL which are appropriate for the described async enrichment workflow. However, the registry metadata lists no required env vars/primary credential while SKILL.md declares them — that mismatch is an incoherence and should be corrected. The presence of connector code (connector/main.py) is coherent with the need for a callback/connector service, but the package provides no install spec or homepage, so it's unclear how that connector is expected to be deployed.
Instruction Scope
SKILL.md stays within the stated purpose: it documents how to check credits, perform search, and run Person API jobs with a required callback. It warns not to leak the API key and specifies rate/concurrency limits and expected callback semantics. It does not instruct the agent to read unrelated files or credentials.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. However, code files (connector/main.py and __init__.py) are present in the bundle but there are no instructions on how/when these files are installed or executed. This is an implementation inconsistency: either the connector is expected to be run by the platform or the user, but that is not documented in the registry metadata or SKILL.md in an explicit install section.
!
Credentials
Requiring SIGNALHIRE_API_KEY and SIGNALHIRE_CALLBACK_URL is proportional to the stated purpose. The concern is the mismatch between the SKILL.md's declared required env vars and the registry metadata (which lists none). Also the callback URL must be publicly reachable—users must understand that the skill will instruct SignalHire to POST potentially sensitive contact data to that endpoint, so the callback endpoint should be under the user's control and secured.
!
Persistence & Privilege
The skill does not set always:true (good) but does not set disableModelInvocation:true, so the model can autonomously invoke the skill. That means an agent could start enrichment jobs (consuming account credits) and cause SignalHire to POST data to the supplied callback URL without an explicit user step. The connector is described as persisting results to CSV; where those files live and their access controls are not documented. Those operational privileges warrant explicit user controls (e.g., require user invocation, audit logs, or whitelist callback URLs).
What to consider before installing
Do not install until you confirm a few things: 1) Fix the registry metadata: the SKILL.md requires SIGNALHIRE_API_KEY and SIGNALHIRE_CALLBACK_URL but the registry lists none — ask the publisher to correct this. 2) Verify the connector code before running: request the connector/main.py source (it exists in the package) and review it locally or in an isolated environment to see what it writes to disk and what network endpoints it uses. 3) Provide a callback URL you control and secure it (HTTPS, IP/host restrictions, auth) because SignalHire will POST contact data there; expect PII in those payloads. 4) Decide whether you want the model to be able to invoke this skill autonomously; if not, ask the author to set disableModelInvocation:true or ensure user-invocable only. 5) Confirm where CSVs are stored, retention policies, and who can access them. 6) Prefer a published source/homepage and clearer install/run instructions before trusting the skill with your SignalHire API key or account credits.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ech1wd23fgf2em8fed67aa980h43r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSIGNALHIRE_API_KEY, SIGNALHIRE_CALLBACK_URL
Primary envSIGNALHIRE_API_KEY

Comments