Enrich company, person, and contact data with 25 tools via the Enrich Layer API. Look up companies, find decision-makers, get work emails, search employees,...
Security Analysis
high confidenceThe skill's declared requirements and runtime instructions are consistent with an Enrich Layer API wrapper; it asks only for the Enrich Layer API key and to run an npm-based MCP server, which matches the stated purpose.
The name/description promise (25 enrichment tools for companies/people/contacts/jobs/schools) aligns with what the SKILL.md documents. Requesting node and an ENRICH_LAYER_API_KEY is expected for an MCP server that proxies calls to the Enrich Layer API. There are no unrelated credentials, binaries, or config paths requested.
The SKILL.md instructs the agent to add an MCP server entry that runs an npm package via npx and to call the declared API for the listed tools. It does not instruct reading unrelated files, harvesting other environment variables, or exfiltrating data to unexpected endpoints. It also advises checking credits before expensive operations, which is appropriate given the service billing model.
This is an instruction-only skill (no local install spec), but the runtime setup relies on npx to fetch and run the @verticalint-michael/enrich-layer-mcp package from npm. Fetching and executing code from npm at runtime is a common pattern for MCP servers but carries the usual moderate risk of executing third-party package code; the package and its GitHub/npm pages are referenced in README, which helps traceability.
Only ENRICH_LAYER_API_KEY is required (declared as primaryEnv). That single credential is proportional and necessary for calling the Enrich Layer API. No unrelated tokens, secrets, or system credentials are requested.
The skill is not marked always:true and does not request persistent system-wide config paths or modify other skills. Autonomous invocation (model-invocation enabled) is the platform default and is not by itself a concern here.
Guidance
This skill appears coherent with its stated purpose, but note a few practical points before installing: 1) The skill instructs OpenClaw to run an MCP server via npx which will fetch and execute an npm package (@verticalint-michael/enrich-layer-mcp) — review that package's npm/GitHub pages to verify the maintainer and code quality. 2) The only secret required is ENRICH_LAYER_API_KEY; treat it like any API key: use least privilege, rotate it if needed, and don't expose it elsewhere. 3) The service can return personal contact details (personal emails/phone numbers); ensure you have legal/ethical authorization to query and store that data and that it complies with privacy/regulatory requirements. 4) Bulk operations can consume credits — the skill sensibly recommends checking balance first; still warn users and require explicit confirmation before high-cost bulk calls. 5) Because this skill is instruction-only, static scanning had no code to analyze — the runtime risk is primarily the npm MCP package and the external Enrich Layer service. If you need lower risk, audit the referenced npm package source or run the MCP server in an isolated environment first.
Latest Release
v0.2.0
Summary: Version 0.2.0 expands tool descriptions and provides detailed usage guidelines for the Enrich Layer skill. - Expanded documentation with an overview of 25 enrichment tools for company, person, contact, school, and job data. - Added extensive usage instructions, including credit checks, tool selection strategies, chaining workflows, and boolean search syntax. - Described new parameters and options for various tools, such as add-ons, cache controls, and bulk-enrichment shortcuts. - Included best practices for using the most cost-effective and efficient enrichment strategies.
Popular Skills
Published by @nicest-michael on ClawHub
