Cold Outreach Starter
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly cold-email templates, but it includes under-declared code that can pull local Company Brain data into outreach prompts.
Review this skill before installing if you use Company Brain or store sensitive company knowledge locally. The visible template content is low risk, but the included Python helper should be documented and opt-in before it pulls local knowledge into outbound sales messages.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this helper is invoked, the skill’s behavior depends on code from another local workspace that was not included in the reviewed package.
The helper loads executable Python code from a hard-coded local workspace outside this skill, while the metadata declares no install spec, binaries, env vars, or config paths. This creates an undeclared dependency and provenance gap.
brain_path = Path("/data/.openclaw/workspace/company-brain") ... sys.path.insert(0, str(brain_path)) ... from brain_wrapper import BrainDeclare the Company Brain dependency explicitly, avoid hard-coded sys.path injection, and document when this helper is used.
Internal brand or company knowledge could be incorporated into generated cold outreach copy if the helper is used.
The helper can retrieve context from a persistent Company Brain and prepend it to an outreach prompt. The main skill describes free templates and optional verification, but does not clearly explain this automatic reuse of local knowledge or how sensitive context is bounded.
result = _brain.strategy(f"brand voice positioning for outreach to {company}") ... return f"Brand Context:\n{result['context']}\n\n---\n\n{legacy_prompt}"Ask for user approval before using Company Brain context, show what context will be inserted, and provide clear limits or an opt-out.
A user could over-trust the compliance claim and send outreach that still violates applicable rules.
The skill makes a broad legal-compliance claim. Compliance depends on jurisdiction, recipient consent, sender practices, and unsubscribe handling, so users should not treat the template itself as a full compliance guarantee.
- CASL/GDPR compliant templates
Treat the templates as drafting aids only and verify cold outreach compliance for the user’s jurisdiction and mailing process.