Cold Outreach Starter
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: cold-outreach-starter Version: 1.0.2 The skill bundle provides B2B cold outreach templates and a Python helper script for brand-voice integration. The code in brain_enhance.py attempts to interface with a local dependency (company-brain) within the OpenClaw workspace, but it does not exhibit signs of data exfiltration, malicious execution, or harmful prompt injection. All behaviors are consistent with the stated purpose of generating personalized outreach content.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this helper is invoked, the skill’s behavior depends on code from another local workspace that was not included in the reviewed package.
The helper loads executable Python code from a hard-coded local workspace outside this skill, while the metadata declares no install spec, binaries, env vars, or config paths. This creates an undeclared dependency and provenance gap.
brain_path = Path("/data/.openclaw/workspace/company-brain") ... sys.path.insert(0, str(brain_path)) ... from brain_wrapper import BrainDeclare the Company Brain dependency explicitly, avoid hard-coded sys.path injection, and document when this helper is used.
Internal brand or company knowledge could be incorporated into generated cold outreach copy if the helper is used.
The helper can retrieve context from a persistent Company Brain and prepend it to an outreach prompt. The main skill describes free templates and optional verification, but does not clearly explain this automatic reuse of local knowledge or how sensitive context is bounded.
result = _brain.strategy(f"brand voice positioning for outreach to {company}") ... return f"Brand Context:\n{result['context']}\n\n---\n\n{legacy_prompt}"Ask for user approval before using Company Brain context, show what context will be inserted, and provide clear limits or an opt-out.
A user could over-trust the compliance claim and send outreach that still violates applicable rules.
The skill makes a broad legal-compliance claim. Compliance depends on jurisdiction, recipient consent, sender practices, and unsubscribe handling, so users should not treat the template itself as a full compliance guarantee.
- CASL/GDPR compliant templates
Treat the templates as drafting aids only and verify cold outreach compliance for the user’s jurisdiction and mailing process.