← 返回 Skills 市场

Cold Email Engine

Name: Cold Email Engine
Author: merjua14

作者 merjua14 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

330

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cold-email-engine

功能描述

Automated cold email outreach system with lead enrichment, personalized templates, drip sequences, and CAN-SPAM compliance. Use when building outbound sales...

使用说明 (SKILL.md)

Cold Email Engine

Automated outbound email pipeline: find leads → enrich contacts → send personalized emails → drip follow-ups.

Pipeline

Source leads — from CSV, Google Sheets, API scraping, or manual input
Enrich — find emails via website scraping, Hunter.io, or Apollo
Personalize — variable substitution in templates ({name}, {company}, {pain_point})
Send — via Resend, SendGrid, or raw SMTP with rate limiting
Drip — automated follow-ups at day 3 and day 7
Track — log all sends, bounces, replies to CSV/Sheets

Requirements

Email provider API key — Resend (RESEND_API_KEY), SendGrid, or SMTP credentials
Verified sending domain — with SPF, DKIM, DMARC configured
Lead source — CSV file, Google Sheet ID, or API endpoint

Quick Start

# Set environment
export RESEND_API_KEY=your_key

# Send from CSV
node scripts/cold-email-engine.js --source leads.csv --template templates/default.txt --from "Name \[email protected]>"

# Dry run (no emails sent)
node scripts/cold-email-engine.js --source leads.csv --template templates/default.txt --dry-run

# Run drip follow-ups
node scripts/cold-email-engine.js --drip --days 3

Configuration

Edit scripts/config.json:

maxPerDay: Daily send limit per domain (default: 25)
delayBetweenMs: Delay between emails in ms (default: 3000)
dripDays: Follow-up schedule [3, 7] days after initial send
suppressionFile: Path to suppression/unsubscribe list
trackingFile: Path to send log

Templates

Templates use {variable} syntax. Available variables:

{first_name}, {last_name}, {email}
{company}, {website}, {city}, {state}
{pain_point} — auto-generated from website analysis
{sender_name}, {sender_title}

Template Example

Subject: {company} — quick question

Hi {first_name},

I noticed {company} {pain_point}. We help businesses like yours 
fix that in under a week.

Would it make sense to chat for 10 minutes this week?

{sender_name}
{sender_title}

Compliance

CAN-SPAM: physical address in footer, unsubscribe mechanism
GDPR: only email businesses (B2B exemption), honor removal requests
Rate limits: 25/day per domain, 3-second delay between sends
Suppression list checked before every send

Scripts

scripts/cold-email-engine.js — Main send engine
scripts/enrich-leads.js — Email finder from websites/domains
scripts/config.json — Configuration

References

See references/deliverability.md for domain warmup and inbox placement
See references/templates.md for proven email templates by industry

安全使用建议

This package is plausibly a working cold-email tool, but it contains several inconsistencies you should understand before installing: - The registry metadata claims no required env vars, but the scripts require RESEND_API_KEY or SENDGRID_API_KEY at runtime (and the README mentions SMTP). Expect to provide API keys if you run it. The skill should have declared those env vars but didn't. - SKILL.md advertises Google Sheets, Hunter.io/Apollo, and raw SMTP support; the included code only implements CSV input, website scraping for emails, and Resend/SendGrid sending. If you need Sheets or vendor integrations, they are not present. - The enrichment script fetches arbitrary public websites to extract emails. This is expected for enrichment, but be aware of legal and ethical considerations (website scraping rules, terms of service, and privacy laws). Do not run it against harvested/purchased consumer lists or where scraping is prohibited. - The tool writes local files (suppression list, send log). Review those files and the code so you know what is stored locally. Run with --dry-run first to confirm behavior. - Verify any API keys you provide are scoped appropriately and rotate them after testing. Prefer using a dedicated sending account/domain you control, and ensure SPF/DKIM/DMARC are configured as advised. What would raise confidence: updated registry metadata declaring required env vars, removal or clear labeling of unimplemented features in SKILL.md (or addition of Sheets/Hunter/APIs in code), and explicit rate-limit, retry, and consent-enforcement code for compliance. If you want, I can list the exact lines to change or produce a minimal checklist to safely test this skill in an isolated environment.

功能分析

Type: OpenClaw Skill Name: cold-email-engine Version: 1.0.0 The skill bundle provides a functional cold email outreach system, but contains a significant SSRF (Server-Side Request Forgery) vulnerability in `scripts/enrich-leads.js`. This script fetches content from URLs constructed directly from user-provided CSV data without validating the target domains, which could allow an attacker to probe internal network services or cloud metadata endpoints. Additionally, `scripts/cold-email-engine.js` uses un-sanitized CSV headers in a dynamic `RegExp` constructor for template substitution, creating a potential risk for Regular Expression Denial of Service (ReDoS).

能力评估

⚠ Purpose & Capability

The name/description match the code: sending emails and enriching leads. However the SKILL.md advertises support for Google Sheets, Hunter.io, Apollo, and raw SMTP, while the included scripts only implement website scraping and sending via Resend or SendGrid. The registry lists no required env vars even though the code expects RESEND_API_KEY or SENDGRID_API_KEY (and mentions SMTP credentials). This mismatch between claimed capabilities and actual implementation is incoherent.

⚠ Instruction Scope

The runtime instructions describe sourcing leads from CSV/Sheets/APIs and enriching via vendor APIs or scraping. The code implements CSV I/O and a scraper (scripts/enrich-leads.js) that fetches arbitrary websites and extracts email addresses — behavior consistent with enrichment but potentially broad (network fetches across many domains). The SKILL.md promises Google Sheets and vendor integrations that are not present; it also claims compliance checks (CAN‑SPAM/GDPR) but enforcement is limited to a suppression file and suggested template requirements, not programmatic checks.

✓ Install Mechanism

No install spec; this is instruction/code-only and nothing is automatically downloaded or extracted. That lowers installation risk — files are included in the skill bundle and run locally by the user.

⚠ Credentials

Registry metadata lists no required env vars but the code explicitly uses RESEND_API_KEY and SENDGRID_API_KEY and will need SMTP credentials if that path were implemented. The absence of declared required credentials is a mismatch that could mislead users into not providing required secrets or accidentally supplying the wrong ones. Otherwise, environment access appears limited to these API keys and normal filesystem/network access.

✓ Persistence & Privilege

The skill is not always-on and does not request elevated agent privileges. It writes local logs/tracking files (send-log.csv, suppression.txt) in its directory but does not attempt to modify other skills or global agent configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cold-email-engine
安装完成后，直接呼叫该 Skill 的名称或使用 /cold-email-engine 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Automated outbound pipeline: CSV/Sheets leads, email enrichment, personalized templates, drip follow-ups, rate limiting, CAN-SPAM compliance

元数据

Slug cold-email-engine

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题