← 返回 Skills 市场
578
总下载
0
收藏
0
当前安装
14
版本数
在 OpenClaw 中安装
/install prospairrow-websites-mcp
功能描述
Generate more revenue with high-quality leads. Give your AI agent direct access to Prospairrow — extract prospects, enrich with deep company insights, discov...
安全使用建议
This skill appears to be what it says: a local MCP server that talks to Prospairrow and optionally uses Playwright for login flows. Before installing, consider the following:
- Use a dedicated, least-privilege Prospairrow API key (do not reuse highly privileged org keys).
- The runtime will copy source to ~/.openclaw/runtime/websites-mcp and run npm install (packages from the npm registry). Playwright will download browser binaries on first browser use — expect network egress for that.
- By default the runtime will NOT read your ~/.openclaw/openclaw.json; only enable WEBSITES_ALLOW_OPENCLAW_CONFIG_API_KEY if you understand the file contents and accept the fallback behavior. If enabled, the code only looks for the prospairrow-websites-mcp key, but it reads the whole file to get there.
- Browser login state (storage) is written to secrets/<site>/auth.json by default; set WEBSITES_DISABLE_STORAGE_STATE_WRITE=1 to prevent writes if you don’t want local session persistence. Invocation logging is off by default; enable WEBSITES_LOG_INVOCATIONS=1 only if you want local logs written.
- Inspect src/sites/prospairrow/site.json (allowedHosts/baseUrl) before running to confirm the allowlist matches expected Prospairrow endpoints; the runtime enforces an outgoing request allowlist for Playwright network requests.
If you accept the above tradeoffs (local server, local storage of optional login tokens, npm/Playwright downloads), the skill is coherent with its stated purpose. If you are uncomfortable with any of the opt-in behaviors, do not enable those environment flags or run the runtime in read-only mode.
功能分析
Type: OpenClaw Skill
Name: prospairrow-websites-mcp
Version: 1.2.5
The skill bundle is benign. It implements robust security controls, including strict input validation using Zod, URL allowlisting for browser automation (Playwright) to prevent navigation to arbitrary domains, and capability-based access control that defaults to read-only mode. Sensitive data like API keys are handled securely via environment variables or explicitly configured headers, and browser session storage is saved with restricted file permissions (0o600). The installation script uses `npm install --ignore-scripts` to mitigate supply chain risks, and the local JSON-RPC server binds only to `127.0.0.1`. All documentation, including `SKILL.md`, provides clear instructions and does not contain any prompt injection attempts or misleading information. There is no evidence of intentional harmful behavior such as data exfiltration to unauthorized endpoints, backdoors, or arbitrary code execution.
能力评估
Purpose & Capability
Name/description, required env var (PROSPAIRROW_API_KEY), declared tasks, and code modules (src/sites/prospairrow/...) align with a Prospairrow integration for prospect extraction/enrichment. The required config path (skills.entries.mcporter.config.servers.websites-mcp.url) maps to the MCP routing described in docs and is justified by the runtime design. Minor extra site entries (reddit, wordpress) exist but are small, documented, and do not contradict the main purpose.
Instruction Scope
SKILL.md and docs instruct the agent/user to install the included runtime, run npm install (with --ignore-scripts), and start a local JSON-RPC MCP server. Runtime code performs expected actions: task dispatch, optional headed login flows (Playwright), saving browser storage to secrets/<site>/auth.json, and optional invocation logging. The only out-of-band reads are an optional, explicit opt-in read of ~/.openclaw/openclaw.json for API key fallback (controlled by WEBSITES_ALLOW_OPENCLAW_CONFIG_API_KEY). There is no code that sends data to unknown remote endpoints beyond normal API calls (Playwright/network calls are subject to an allowlist per site config).
Install Mechanism
This is an instruction-only skill with a packaged runtime and an install script that copies source to $HOME/.openclaw/runtime/websites-mcp and runs npm install --ignore-scripts. Dependencies come from npm (playwright, etc.). npm and Playwright will fetch packages/binaries from their normal registries, and Playwright may download browser binaries on first use. The install process avoids running package lifecycle scripts (ignore-scripts) which reduces supply‑chain risk; overall the install approach is expected for a Node-based local runtime but carries standard npm/Playwright network fetch considerations.
Credentials
Declared required credential is a single PROSPAIRROW_API_KEY (primaryEnv). The runtime also supports an API-key-in-headers override and an optional OpenClaw config fallback (WEBSITES_ALLOW_OPENCLAW_CONFIG_API_KEY) which reads ~/.openclaw/openclaw.json to find skills.entries.prospairrow-websites-mcp.apiKey or env.PROSPAIRROW_API_KEY. That fallback is disabled by default and must be opt-in; review that file before enabling. The runtime writes local storage state and logs under the runtime directory (secrets/ and logs/), which is proportional to the login/storage features but may store sensitive session data — the behavior can be disabled with WEBSITES_DISABLE_STORAGE_STATE_WRITE and logging is opt-in via WEBSITES_LOG_INVOCATIONS.
Persistence & Privilege
Skill does not request always:true, does not auto-enable itself, and runs a local server only after user starts it. It writes files only under its runtime directory ($HOME/.openclaw/runtime/websites-mcp) and a secrets/ subdirectory for auth storage; this is reasonable for a runtime that optionally stores browser login state. No evidence it modifies other skills' configurations or escalates privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install prospairrow-websites-mcp - 安装完成后,直接呼叫该 Skill 的名称或使用
/prospairrow-websites-mcp触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.5
Harden defaults: disable OpenClaw config API-key fallback unless explicitly enabled; disable invocation logging by default; add optional storage-state write disable flag; document security toggles.
v1.2.4
Add explicit agents/openai.yaml metadata (display name, short description, default prompt) to align registry metadata with package contents.
v1.2.3
Add generate_position_solution; include apollo_enrich and ICP/company score tasks; consolidate skill package source into repo-backed runtime and docs.
v1.2.2
Security fix: server now binds to 127.0.0.1 explicitly (was binding to 0.0.0.0, exposing JSON-RPC to all interfaces). Accurate npm/Playwright download docs. Richer business value copy.
v1.2.1
Accurate install docs (npm fetches deps from registry, Playwright downloads binaries on first use). Richer business value copy.
v1.2.0
Self-contained: runtime source now bundled in skill package. No external git clone, no supply chain risk. Install with scripts/install-runtime.sh.
v1.1.6
Fix repo URL: point bootstrap script and all docs to gitlab.com/discry/prospairrow-websites-mcp (own repo). Resolves ClawHub security flag about third-party supply chain. Also adds discover_competitors task support.
v1.1.5
Harden bootstrap security: require full pinned commit SHA (no refs/branches), verify commit existence and exact match, keep allowlisted repo + deterministic npm ci --ignore-scripts.
v1.1.4
Clarify intentional dual config namespaces: mcporter for MCP routing and prospairrow-websites-mcp for credentials to avoid perceived mismatch.
v1.1.3
Add transparency and business-value messaging to README/SKILL; add reusable ClawHub comment template; clarify pinned-ref bootstrap examples.
v1.1.2
Update bootstrap defaults to current runtime repo (gitlab.com/mpaqt/openclaw-skill), document required WEBSITES_MCP_REF, and keep secure repo allowlist checks.
v1.1.1
Set default bootstrap runtime repo to gitlab.com/mpaqt/prospairrow-websites-mcp and update docs/examples accordingly.
v1.1.0
Add installable bootstrap workflow: runtime bootstrap script, configuration docs, operations runbook, and troubleshooting for dashboard apiKey + PROSPAIRROW_API_KEY fallback.
v1.0.0
Initial release: Prospairrow Websites MCP integration skill with dashboard API key + PROSPAIRROW_API_KEY fallback guidance.
元数据
常见问题
Prospairrow Websites MCP 是什么?
Generate more revenue with high-quality leads. Give your AI agent direct access to Prospairrow — extract prospects, enrich with deep company insights, discov... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 578 次。
如何安装 Prospairrow Websites MCP?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install prospairrow-websites-mcp」即可一键安装,无需额外配置。
Prospairrow Websites MCP 是免费的吗?
是的,Prospairrow Websites MCP 完全免费(开源免费),可自由下载、安装和使用。
Prospairrow Websites MCP 支持哪些平台?
Prospairrow Websites MCP 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Prospairrow Websites MCP?
由 discry(@discry)开发并维护,当前版本 v1.2.5。
推荐 Skills