by 安全扫描
OpenClaw
可疑
medium confidenceThe skill broadly matches a cold-email tool, but its documentation, declared requirements, and included scripts are inconsistent — it asks for capabilities (Google Sheets, Hunter/Apollo, SMTP) that are not implemented and it fails to declare required API keys in the registry metadata.
评估建议
This package is plausibly a working cold-email tool, but it contains several inconsistencies you should understand before installing:
- The registry metadata claims no required env vars, but the scripts require RESEND_API_KEY or SENDGRID_API_KEY at runtime (and the README mentions SMTP). Expect to provide API keys if you run it. The skill should have declared those env vars but didn't.
- SKILL.md advertises Google Sheets, Hunter.io/Apollo, and raw SMTP support; the included code only implements...详细分析 ▾
⚠ 用途与能力
The name/description match the code: sending emails and enriching leads. However the SKILL.md advertises support for Google Sheets, Hunter.io, Apollo, and raw SMTP, while the included scripts only implement website scraping and sending via Resend or SendGrid. The registry lists no required env vars even though the code expects RESEND_API_KEY or SENDGRID_API_KEY (and mentions SMTP credentials). This mismatch between claimed capabilities and actual implementation is incoherent.
⚠ 指令范围
The runtime instructions describe sourcing leads from CSV/Sheets/APIs and enriching via vendor APIs or scraping. The code implements CSV I/O and a scraper (scripts/enrich-leads.js) that fetches arbitrary websites and extracts email addresses — behavior consistent with enrichment but potentially broad (network fetches across many domains). The SKILL.md promises Google Sheets and vendor integrations that are not present; it also claims compliance checks (CAN‑SPAM/GDPR) but enforcement is limited to a suppression file and suggested template requirements, not programmatic checks.
✓ 安装机制
No install spec; this is instruction/code-only and nothing is automatically downloaded or extracted. That lowers installation risk — files are included in the skill bundle and run locally by the user.
⚠ 凭证需求
Registry metadata lists no required env vars but the code explicitly uses RESEND_API_KEY and SENDGRID_API_KEY and will need SMTP credentials if that path were implemented. The absence of declared required credentials is a mismatch that could mislead users into not providing required secrets or accidentally supplying the wrong ones. Otherwise, environment access appears limited to these API keys and normal filesystem/network access.
✓ 持久化与权限
The skill is not always-on and does not request elevated agent privileges. It writes local logs/tracking files (send-log.csv, suppression.txt) in its directory but does not attempt to modify other skills or global agent configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/13
Automated outbound pipeline: CSV/Sheets leads, email enrichment, personalized templates, drip follow-ups, rate limiting, CAN-SPAM compliance
● 可疑
安装命令
点击复制官方npx clawhub@latest install cold-email-engine
镜像加速npx clawhub@latest install cold-email-engine --registry https://cn.longxiaskill.com