lemlist official

v1.0.1

Official Lemlist API integration for sales automation and multichannel outreach. Use this skill when users want to: - Manage campaigns (create, list, pause,...

⭐ 0· 587·0 current·0 all-time

byMickael Faivre-Maçon@micktaiwan

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md clearly requires a Lemlist API key (primaryEnv: LEMLIST_API_KEY) and describes how to authenticate and call Lemlist endpoints, which is coherent with the stated purpose. However, the registry metadata lists no required env vars and no primary credential; that is an internal inconsistency — the skill will not work without an API key, so the metadata is incomplete/misleading.

ℹ

Instruction Scope

The runtime instructions are focused on Lemlist API usage (endpoints, auth, examples) and instruct the user to add the API key to ~/.openclaw/openclaw.json or expose LEMLIST_API_KEY to the agent/docker sandbox. The instructions do ask to store the API key in the agent config file (persistence), but they do not instruct reading unrelated system files or exfiltrating data to third-party endpoints outside of Lemlist. Scoped to purpose but explicit about writing/storing the API key in agent config.

✓

Install Mechanism

This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an installer. That is the lowest install risk.

Credentials

Functionality requires a single credential (LEMLIST_API_KEY) which is proportionate to the task. However, the registry metadata did not declare this required env var while the SKILL.md does — a mismatch. Also, instructions recommend storing the API key in ~/.openclaw/openclaw.json or passing it to Docker, which may expose the key to other local processes or skills if the config is broadly accessible; users should ensure the key is stored with appropriate protections and consider using a scoped/limited API key.

✓

Persistence & Privilege

The skill does not request always:true and does not ask to modify other skills or system-wide settings. It does instruct the user to add the API key to the agent config (persistence limited to its own config entry), which is normal for an integration.

What to consider before installing

This skill's instructions legitimately require a Lemlist API key, but the registry metadata omitted that requirement and the source/homepage are unknown — treat the publisher as unverified. Before installing: (1) verify the skill author or prefer an official source (homepage or repo); (2) provide only a Lemlist API key with minimal permissions and rotate/revoke it if you stop using the skill; (3) store the key securely (beware that adding it to ~/.openclaw/openclaw.json may make it accessible to other local tools/skills); (4) test the skill in a sandboxed agent or Docker environment and monitor Lemlist API usage for unexpected calls; (5) if you intend to receive webhooks, set and verify a webhook secret and host the webhook endpoint securely. The primary red flags are the metadata mismatch (no declared required env) and missing provenance — those are reasons to proceed cautiously rather than a clear indicator of malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ee3d4kmg2dn345gg4fs2x581kcj4

587downloads

0stars

2versions

Updated 7h ago

v1.0.1

MIT-0

Lemlist

Interact with the Lemlist API to manage campaigns, leads, sequences, schedules, activities, inbox, webhooks, unsubscribes, exports, and enrichment.

Full endpoint reference: references/api-endpoints.md Official API docs: https://developer.lemlist.com/api-reference

Setup

1. Get API key

Log in to Lemlist
Go to Settings > Integrations > API Keys
Create a new key — copy immediately, shown only once

2. Configure in OpenClaw

Add to ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "lemlist": {
        "apiKey": "your-lemlist-api-key"
      }
    }
  }
}

Alternative explicit format:

{
  "skills": {
    "entries": {
      "lemlist": {
        "env": {
          "LEMLIST_API_KEY": "your-lemlist-api-key"
        }
      }
    }
  }
}

3. Verify

Run: Get my Lemlist team info

Docker sandbox

Forward the key explicitly:

{
  "agents": {
    "defaults": {
      "sandbox": {
        "docker": {
          "env": ["LEMLIST_API_KEY"]
        }
      }
    }
  }
}

Authentication

Base URL: https://api.lemlist.com/api

Basic Auth with empty username (colon before key is mandatory):

Authorization: Basic base64(:LEMLIST_API_KEY)

Python Helper

Use this pattern for all API calls:

import urllib.request, os, json, base64

API_KEY = os.environ["LEMLIST_API_KEY"]
AUTH = base64.b64encode(f":{API_KEY}".encode()).decode()
BASE = "https://api.lemlist.com/api"

def api(path, method="GET", data=None):
    body = json.dumps(data).encode() if data else None
    req = urllib.request.Request(f"{BASE}{path}", data=body, method=method)
    req.add_header("Authorization", f"Basic {AUTH}")
    req.add_header("User-Agent", "OpenClaw/1.0")
    if data:
        req.add_header("Content-Type", "application/json")
    return json.load(urllib.request.urlopen(req))

Endpoint Summary

Domain	Key endpoints
Team	GET `/team`, `/team/members`, `/team/credits`, `/team/senders`
Campaigns	GET/POST `/campaigns`, PATCH `/campaigns/:id`, POST `pause`/`start`
Sequences	GET `/campaigns/:id/sequences`, POST/PATCH/DELETE steps
Leads (campaign)	GET/POST/PATCH/DELETE `/campaigns/:id/leads/:idOrEmail`
Leads (global)	GET `/leads`, POST `pause`/`start`/`interested`/`notinterested`
Lead variables	POST/PATCH/DELETE `/leads/:id/variables`
Activities	GET `/activities` (filter: `campaignId`, `type`)
Schedules	CRUD `/schedules`, POST `/campaigns/:id/schedules`
Unsubscribes	GET `/unsubscribes`, POST/DELETE `/unsubscribes/:value`
Webhooks	GET/POST/DELETE `/hooks` (max 200/team)
Inbox	GET `/inbox`, POST `email`/`linkedin`/`whatsapp`/`sms`
Inbox labels	CRUD `/inbox/labels`, assign via `/conversations/labels/:contactId`
Companies	GET `/companies`, `/companies/:id/notes`
Contacts	GET `/contacts`, `/contacts/:idOrEmail`
Exports	GET `/campaigns/:id/export` (sync), `/export/start` (async)
Enrichment	POST `/leads/:id/enrich`, GET `/enrich/:id`, POST `/enrich` (batch)
Tasks	GET/POST/PATCH `/tasks`, POST `/tasks/ignore`
Lemwarm	POST `start`/`pause`, GET/PATCH `settings` via `/lemwarm/:mailboxId`

For request/response details, read references/api-endpoints.md.

Pagination

Params: offset (default 0), limit (max 100), page (1-based, overrides offset).

Paginated responses include pagination: { totalRecords, currentPage, nextPage, totalPage }. Some older endpoints return a plain array.

ID Prefixes

cam_ campaign, lea_ lead, skd_ schedule, seq_ sequence, tea_ team, usr_ user.

Gotchas

User-Agent required — set User-Agent: OpenClaw/1.0, Python's default UA is blocked by Cloudflare (403)
Basic Auth format — empty username mandatory: base64(":key"), not base64("key")
No campaign deletion — only pause via API
Email encoding — @ → %40 in URL path params
Webhook auto-deletion — 404/410 response silently removes the webhook
No rate limiting — the public API does not throttle
Variable deletion — DELETE /leads/:id/variables deletes vars, not the lead
Sync vs async export — /export returns CSV directly, /export/start + poll for large volumes
Limits — 100 items/page, 200 webhooks/team, 100 API keys/team

Comments

Loading comments...