OpenClaw Email Lead Generation — the complete outreach and pipeline system for your agent. Guided setup builds your config, Template Forge creates custom ema...
Security Analysis
high confidenceThe skill's files, helper script, and runtime rules are consistent with an on-device email lead-generation pipeline; nothing requests unrelated credentials or installs unexpected remote code, but there are a few implementation caveats to review before enabling automation or providing SMTP credentials.
Name/description match what is present: local pipeline, template generation, scoring, and opt-in cron-driven outreach. Required binaries are standard Unix tools appropriate for the described file and text manipulation. Optional metadata lists SMTP/Gmail credentials and the openclaw CLI which are reasonable for sending/cron features and are declared optional.
SKILL.md explicitly restrains all file operations to ~/workspace/leadgen and mandates using the bundled helper script for sanitization and path validation — this is good. The cron/reference docs describe inbox checking and sending behavior, but the included helper script excerpt does not show network/email client code (likely Tier 2/Tier 3 is opt-in). Verify how inbox access and sending are implemented and where credentials are stored before enabling those features. The script and docs also require the agent to execute shell commands via exec — expected but worth noting.
Instruction-only skill with included helper script; no remote downloads or installers. No install spec means nothing is fetched from third-party URLs—lowest install risk. The single local script is bundled in the package.
No required env vars are declared. Optional env names (SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS, GMAIL_APP_PASSWORD) are appropriate for an email-sending feature. Before supplying credentials, confirm exactly when and how they will be used and stored (config.yaml location and any encryption/permissions).
always:false and the skill confines its state to ~/workspace/leadgen. Cron jobs are explicitly opt-in (Tier 3) and the SKILL.md enforces that recurring tasks not be scheduled without explicit user action. The skill does not request system-wide privileges or modifications to other skills.
Guidance
This skill appears internally coherent for local lead management and template generation. Before installing or enabling automation: 1) Review the helper script fully (it enforces sanitization and path checks but has fallbacks that are less strict when jq is missing). 2) If you plan to send/receive email, only provide SMTP/Gmail credentials after you verify where they are stored in config.yaml and that you are comfortable with that storage and access model. 3) Keep auto-send and cron disabled until you test flows with a sandbox lead and 'manual' email mode so no real emails are sent unexpectedly. 4) Confirm how inbox access is implemented (openclaw CLI/browser automation, IMAP, or API) because the SKILL.md refers to reply-reading behavior but the bundled script doesn't contain network/email client code in the excerpt — understand that component before enabling Tier 2/3. 5) Consider running the skill in a limited test environment first and ensure jq/openclaw are installed for safer JSON handling and cron integration.
Latest Release
v1.0.1
🎯 v1.0.1 — "Hardened" 🌍 Timezone configuration — all timestamps, cron jobs, and reports respect user's timezone (setup Q7) 🌍 Casual timezone input mapping — "Pacific" / "PST" / "California" auto-resolves to America/Los_Angeles 📧 Email body written to temp file before send — fixes JSON newline escaping bug 📧 Per-domain hourly rate limits — prevent bulk sends to gmail.com, outlook.com, etc. 📧 Email warmup schedule — ramp from 5→10→20→35→50/day for new sending accounts 📧 Compliance footer — auto-append unsubscribe text ("Reply STOP"), configurable per CAN-SPAM 📋 Central audit log — every send, reply, status change, and admin action logged with timestamps 📋 Audit log auto-prune — configurable retention (default 90 days) 📋 Helper command: `audit-log` for structured event logging 📋 Helper command: `audit-prune` for retention enforcement 🛡️ Inbound HTML stripping — `<script>`, `<style>`, and all HTML tags removed from reply content 🛡️ Link validation — URLs in inbound replies flagged before user clicks 🛡️ Credential security rules — passwords NEVER in config, env vars only, agent warns if user pastes secrets 🛡️ Reply content sanitized before JSON storage — prevents injection via inbound email 🛡️ Helper command: `strip-html` for code-enforced HTML removal 🛡️ Helper command: `write-email-body` for safe temp-file email composition 🛡️ Helper command: `domain-sends-count` for per-domain rate limit checks 🛡️ Helper command: `check-warmup` for warmup volume enforcement 📊 Score decay — optional, configurable: -5 points after 14 days inactive (off by default) 📊 Reply check interval — configurable polling frequency for inbox monitoring (default 30 min) --- ## 🎯 v1.0.0 — "First Contact" 🏗️ 3-tier architecture — Pipeline Tracker → Outreach Engine → Autopilot (each unlocks independently) 🏗️ Guided setup — agent walks you through business profile, email config, and template building 🏗️ File-based JSON storage — no database, no dependencies 📊 9-stage pipeline tracking (new → contacted → responded → qualified → call_booked → closed) 📊 Lead scoring 0-100 with configurable weights (industry, pain signals, engagement, replies) 📊 Pipeline dashboard with funnel counts, hot leads, actions due, and AI recommendations 📊 Bulk import from CSV or pasted lists 📊 Search, filter, archive, restore leads 📧 Template Forge — 5-phase voice interview builds your custom 4-email sequence 📧 4-step sequences with configurable delays (Day 0, 3, 7, 14) 📧 Smart personalization — {{first_name}}, {{company_name}}, {{pain_point}}, and more 📧 3 email methods — manual (zero config), SMTP, or browser-based Gmail/Outlook 📧 Human-in-the-loop — agent drafts, you approve before send ⚡ 🌅 Morning Check cron (9am) — reply scan, sentiment analysis, morning briefing ⚡ 📤 Midday Send cron (12pm) — scheduled follow-ups, rate-limited queue ⚡ 📊 Evening Summary cron (5pm) — daily metrics, tomorrow's action list ⚡ 📈 Weekly Report cron (Mon 8am) — performance trends, template rankings, recommendations 🧠 Sentiment analysis on replies — interested / question / objection / not interested / unsubscribe 🧠 Auto-pause sequences on reply, auto-nurture after completion 🧠 Pipeline intelligence — stale lead alerts, bottleneck detection, template performance 🔒 Rate limiting (daily/hourly/per-message configurable) 🔒 Input sanitization on all user data before exec 🔒 Lead data anonymized in shared channels 🔒 Unsubscribe requests immediately honored 🛡️ Bundled `leadgen-helper.sh` — all file operations routed through code-enforced sanitization (not prompt-based) 🛡️ Path traversal prevention — validated in code, can't escape `~/workspace/leadgen/` 🛡️ Shell injection blocked — metacharacters stripped before any exec, `../../` attacks neutralized 🛡️ JSON validation on every lead/template write (uses `jq` if available, basic checks as fallback)
More by @jeffjhunter
Published by @jeffjhunter on ClawHub
