Lead Gen + CRM Pipeline
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears coherent for lead generation, but it can use your CRM and email accounts to create records and send real outreach, so those steps need explicit approval.
Install only if you are comfortable giving it CRM, search/enrichment, and email-provider access. Initialize the workspace in a secure location, use scoped or test API keys first, review generated leads before CRM pushes, always run campaign dry-runs, and require explicit approval before sending real emails.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or premature non-dry-run could send real outreach emails from the user's account and affect sender reputation or compliance obligations.
The non-dry-run path sends real emails to pending campaign recipients through SendGrid, up to the configured daily limit. This is central to the skill's purpose and disclosed, but it is high-impact and should only happen after user review.
pending = [r for r in recipients if r["status"] == "pending"] ... requests.post(
"https://api.sendgrid.com/v3/mail/send"Always run `--dry-run` first, require explicit user approval before the real send command, keep daily limits low, and consider adding an explicit confirmation or approved flag to the campaign file.
If run with the wrong CRM key or batch, the skill could create unwanted CRM records in the user's account.
The skill uses CRM API tokens to create contacts or people in third-party CRM accounts. That write access is purpose-aligned, but it grants meaningful account authority.
headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"},
json={
"properties": {
"email": email,Use least-privilege CRM tokens where possible, test with CSV or a small single-lead push first, and review the qualified leads before batch CRM writes.
Anyone or anything with access to the workspace could read stored leads, campaign recipients, and configured secrets.
The workspace persists API keys, SMTP credentials, lead contact data, campaigns, and reports in local JSON files. This is expected for the workflow but creates retained sensitive data.
BASE_DIR="${LEAD_GEN_DIR:-$HOME/.openclaw/workspace/lead-gen}" ... "sendgrid_api_key": "", ... "smtp": { "host": "", "port": 587, "user": "", "pass": "" }Keep the workspace out of synced/shared folders, restrict file permissions, avoid storing long-lived broad-scope secrets, and periodically purge old leads and campaigns.
Installing the latest package version may behave differently over time or across environments.
The dependency installation is manual and unpinned. `requests` is a normal dependency for these HTTP API scripts, but an unpinned install is less reproducible than a locked dependency.
```bash pip3 install requests ```
Install in a virtual environment and pin a known-good `requests` version if reproducibility matters.