Lead Generation

Name/description (social lead discovery via Xpoz MCP) aligns with required binary (mcporter), the declared network host (mcp.xpoz.ai) and the SKILL.md calls (mcporter call xpoz.*). The dependency on an xpoz-setup skill for OAuth is coherent with needing user authorization to query Xpoz.

Instructions stay within the stated purpose (product research via web_search/web_fetch, generate queries, call mcporter to fetch platform posts, score and deduplicate, produce outreach drafts). They instruct the agent to write files under data/lead-generation and to use web fetching for product research — both reasonable for this task but worth noting because they create local artifacts and cause the agent to fetch external webpages.

Install spec uses npm to install a package named 'mcporter' which provides the mcporter binary. npm installs are common but carry moderate risk because published packages can contain arbitrary code; there are no direct downloads from untrusted URLs or archives, but you should verify the package's provenance (npm page, GitHub repo, maintainer) before installing.

The skill does not request unrelated environment variables or credentials in its manifest. Authentication is delegated to an xpoz-setup skill (OAuth 2.1), which is proportionate for a service that queries social/post index data.

always:false (no forced global persistence). The skill will write persistent artifacts (product-profile.json, search-queries.json, sent-leads.json) under data/lead-generation and may be invoked autonomously by the agent (default). Consider that stored lead lists may contain personal data and that autonomous invocation + network access increases operational risk if you don't trust the mcporter package or Xpoz service.