📋 Campaign Orchestrator — 多渠道跟进
v1.0.0为 ShapeScale 销售打造的多渠道跟进活动编排器,可按计划执行 SMS+Email 序列,自动写入 CRM,并在收到回复时终止流程,适用于演示线索跟进与批量外呼。
0· 2.6k·3 当前·3 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (multi-channel campaigns with CRM logging) mostly matches the requested credentials, but the implementation and runtime instructions have multiple mismatches and missing dependencies that could cause unexpected behavior or data exposure — review before installing.
评估建议
Things to check before installing or running this skill:
- Missing dependencies: The code calls out-of-repository helpers (e.g., /home/art/niemand/skills/dialpad/send_sms.py and gog-shapescale). Ask the author for the exact required helper scripts or include them. Do not assume those paths exist or are trustworthy.
- Incomplete Attio logging: SKILL.md claims all activity is logged to Attio, but webhook_handler.py has a TODO for Attio logging. Verify the Attio integration is implemented and insp...详细分析 ▾
ℹ 用途与能力
Requested environment variables (DIALPAD_API_KEY, ATTIO_API_KEY, GOG_KEYRING_PASSWORD) match the described integrations (Dialpad SMS, Attio CRM, Gmail via gog). However, the code and SKILL.md also reference external helper tools and hard-coded filesystem paths (e.g., /home/art/niemand/skills/dialpad/send_sms.py and gog-shapescale) that are not declared as required binaries or provided in the package. That missing/dependent tooling is an incoherence: the skill implicitly requires other local scripts/tools that are not described or installed.
⚠ 指令范围
SKILL.md promises CRM logging ('All activities recorded in Attio') and multi-channel sending, but webhook_handler.py contains a TODO for Attio logging (not implemented). The sending/integration points shown call out-of-repository commands (python3 /home/.../send_sms.py, gog-shapescale) rather than internal library calls; these external invocations are not declared as required binaries. Webhook matching is simplistic (matches by lead name or name appearing in message) rather than using message IDs or authenticated webhook verification — this can cause false positives/incorrect terminations. SKILL.md also instructs humans/agents to 'search memory/CRM' and perform manual checks; those are operational checks but grant broad discretion and rely on external data sources not formalized in the code.
ℹ 安装机制
There is no install spec (instruction-only install), which minimizes install-time risk. However, the runtime depends on third-party/local scripts and tools (Dialpad send script, gog-shapescale) and expects a Clawdbot cron scheduler; none of those are installed or described here. The lack of an install mechanism combined with hard-coded absolute paths increases the chance the skill will fail or call unexpected binaries on install/run.
ℹ 凭证需求
The requested env vars are relevant to the stated purpose: Dialpad and Attio API keys and a Google keyring password for Gmail access. That set is small and proportional. Caveats: GOG_KEYRING_PASSWORD appears to be a Google credential stored in a keyring — high sensitivity; the skill does not document how credentials are used nor whether they are transmitted to any external endpoint. Ensure secrets are stored securely and scope-limited (least privilege).
✓ 持久化与权限
The skill is not always-included and does not request elevated platform privileges. It writes state to a workspace path (default /home/art/niemand/state/campaign-orchestrator/campaigns.json) which is expected for this kind of tool, but the hard-coded default workspace and file location could inadvertently expose data if deployed in a shared environment. Webhook server runs without authentication by default (HTTP on configurable PORT) — deploying publicly without auth/TLS is risky.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/1/31
Initial ClawHub release
● 可疑
安装命令
点击复制官方npx clawhub@latest install campaign-orchestrator
镜像加速npx clawhub@latest install campaign-orchestrator --registry https://cn.longxiaskill.com