Find domain experts, thought leaders, and subject-matter authorities on any topic. Searches Twitter and Reddit for people who demonstrate deep knowledge, frequent discussion, and above-average expertise in a specific field. Expert discovery, talent sourcing, researcher identification, and KOL (Key Opinion Leader) mapping.
Security Analysis
medium confidenceThe skill's requirements and runtime instructions are coherent with its stated purpose (uses an Xpoz client + web search to find experts), but it depends on an external npm package and an Xpoz account so you should verify the package and OAuth flow before installing.
The skill claims to find domain experts using Twitter/Reddit and the SKILL.md instructs the agent to call the Xpoz service via the mcporter CLI and to use web_search/web_fetch for query expansion. Requiring mcporter, the xpoz-setup helper, and network access to mcp.xpoz.ai is proportional to that purpose. Minor inconsistency: top-level registry metadata lists no explicit 'requires.skills' entry but SKILL.md metadata does require an 'xpoz-setup' skill and an Xpoz account (OAuth), which is plausible but should be noted.
Instructions are specific: expand queries, call mcporter to fetch posts and profiles, poll operation status, download CSVs, classify and produce a report. They do not instruct reading unrelated system files or environment variables, nor do they direct data to unexpected endpoints beyond Xpoz and web search tools. The skill will collect and process social media content (expected for the purpose).
The install spec is an npm package (mcporter) which is a traceable but moderate-risk mechanism (supply-chain risk). The package is not version-pinned in the spec, which increases risk. This is not an arbitrary URL download or archive extract, but you should verify the npm package identity, maintainer, and published version before installing.
No environment variables are declared; authentication is delegated to the 'xpoz-setup' skill via OAuth 2.1, which is appropriate for a third-party service. The skill does require network access to mcp.xpoz.ai and will cause social-media data to be fetched and processed by Xpoz, which is consistent with the function but relevant to privacy and data-sharing considerations.
always:false and default autonomous invocation are normal. The skill depends on another setup skill to obtain credentials; that flow may persist tokens as part of normal OAuth behavior. Because the skill can run autonomously and call external services, consider the usual caution about granting network and install permissions, but there is no indication it requests elevated system privileges or modifies other skills.
Guidance
This skill appears to be what it says: it uses an Xpoz client (mcporter) plus web search to discover experts. Before installing: 1) Verify the mcporter npm package (author, popularity, recent changes) and consider pinning a version; avoid installing unknown packages without review. 2) Inspect or run the xpoz-setup OAuth flow in a controlled way to see what permissions/tokens are granted and where tokens are stored. 3) Be aware that the skill will send queries and retrieved social media content to Xpoz (mcp.xpoz.ai), so review Xpoz's privacy policy if you care about sharing collected data. 4) If you want tighter control, restrict autonomous invocation or require explicit user approval before the skill runs network calls or installs packages. If you can provide the xpoz-setup code or the mcporter package URL/version, I can reassess with higher confidence.
Latest Release
v1.4.0
Added setup section
More by @atyachin
Published by @atyachin on ClawHub
