Cold Outreach Skill
v1.0.0Orchestrates Apollo, LinkedIn, YC Cold Outreach, and MachFive APIs to source leads, enrich profiles, create personalized B2B outreach sequences ready for sen...
⭐ 0· 676·0 current·0 all-time
byHagen Hoferichter@h4gen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (orchestrating Apollo, LinkedIn, YC Cold Outreach, MachFive) matches the declared needs: it asks for Maton gateway API key (MATON_API_KEY) and MachFive API key (MACHFIVE_API_KEY) and instructs installing the referenced upstream skills. Required binaries (npx for ClawHub installs, python3 likely needed by upstream skills) are plausibly relevant. Nothing requested appears unrelated to the stated goal.
Instruction Scope
SKILL.md is an instruction-only orchestration document. It limits actions to installing/updating listed upstream skills, checking for the two API keys, querying Apollo, optional LinkedIn enrichment, and using MachFive for generation. It explicitly forbids inventing personal posts and requires emails for generation-ready mode. It does not instruct reading unrelated system files or exfiltrating data to unknown endpoints.
Install Mechanism
The skill itself has no install spec or code (instruction-only). It tells the operator to run npx -y clawhub@latest to install upstream skills — that will pull packages from the network/npm when you run the commands. This is a normal approach for ClawHub but means running the install commands will download and install third-party packages; review those upstream packages before executing.
Credentials
Only MATON_API_KEY and MACHFIVE_API_KEY are required and both are justified by integration with Maton-gateway-backed Apollo/LinkedIn and MachFive Cold Email. No unrelated secrets or broad cloud credentials are requested. The SKILL.md uses the declared env vars (preflight checks) and does not reference other hidden env values.
Persistence & Privilege
The skill is not always-enabled, and it does not request persistent elevated privileges or modification of other skills. disable-model-invocation is false (normal). Because it is instruction-only, it does not write code to disk by itself; running the suggested npx install commands is an explicit operator action.
Scan Findings in Context
[instruction-only-no-code] expected: Regex scanner had no code files to analyze. This is expected because SKILL.md is an instruction-only meta-skill; any executable content would come from upstream skills installed via npx.
Assessment
This meta-skill appears to be what it says: an orchestrator that coordinates Apollo (via Maton), LinkedIn, a writing/critique framework, and MachFive cold-email generation. Before installing or running it: 1) Confirm the legitimacy and scope of your MATON_API_KEY and MACHFIVE_API_KEY (who issued them, what permissions they grant, and where they are stored). 2) Audit the upstream packages (apollo-api, linkedin-api, yc-cold-outreach, cold-email) before running the npx install commands because those will be downloaded and installed from the network. 3) Be aware the workflow processes personal contact data (emails, LinkedIn profiles) — ensure this use complies with your privacy policy, data protection rules (GDPR, etc.), and your organization's acceptable use. 4) Run installs in an isolated or development environment first (not on sensitive production systems). 5) If you need higher assurance, ask for the upstream skills' code or hashes and verify the Maton gateway behavior (one gateway key for multiple services is plausible but verify with the provider).Like a lobster shell, security has layers — review code before you run it.
latestvk97ayhb22gzzavr83w7jnw74bx815tq2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
dart Clawdis
Binspython3, npx
EnvMATON_API_KEY, MACHFIVE_API_KEY