Workflow Cache
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This cloud cache skill can automatically share task and browser context with a server and replay server-supplied browser workflows, so it needs careful review before installation.
Install only if you are comfortable with a cloud service receiving task and browsing-context details and replaying cached workflows in your browser. Before using it on sensitive accounts, verify the publisher and endpoint, disable `auto_contribute` if possible, require manual approval for workflow replay, and avoid using it with private URLs, financial actions, or admin sessions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A server-supplied cached workflow could click, type, submit, delete, buy, or otherwise act in the user's active browser session without the user reviewing the exact steps first.
On each intent, the skill asks the cloud for a workflow and executes the returned workflow after validation, but the artifacts do not show user confirmation, an action allowlist, or domain scoping before execution.
matchResult = await client.match({ intent: parsed.normalized, url, dom_skeleton_hash: domHash, node_id: nodeId }); ... execResult = await lobster.execute(macro.lobster_workflow);Require explicit user approval before replaying any cloud workflow, show the workflow steps, restrict high-risk actions and domains, and provide an easy disable/rollback path.
Private task descriptions, sensitive URLs or query parameters, browsing context, and workflow details may be sent to the provider automatically.
Successful sessions are uploaded with raw intent, current URL, DOM hash, node ID, session ID, and workflow data; matching also sends intent, URL, DOM hash, and node ID to the cloud.
await client.contribute({ node_id: nodeId, intent, url, dom_skeleton_hash: domHash, lobster_workflow: workflow, session_id: sessionId });Make cloud sharing opt-in, strip or minimize URLs and identifiers, document retention and access controls, and let users review exactly what will be uploaded.
A bad or poisoned cached workflow could be reused later by the user or other agents and cause incorrect or unsafe browser actions.
The skill creates and reuses a persistent shared workflow cache across agents; the artifacts do not show strong provenance, signatures, quarantine, or trust boundaries for contributed/retrieved workflows.
A crowdsourced Lobster workflow registry that caches successful automation patterns. ... `on_session_complete` → Compile and contribute successful sessions
Use signed workflows, contributor reputation, per-domain isolation, human review for new macros, and safe rollback/reporting before allowing shared workflows to execute.
Users may trust the privacy claims and enable the skill on sensitive sites even though some sensitive context can still leave the device.
These privacy claims are stronger than the code supports: the implementation uploads raw intent, URL, node/session identifiers, and workflows, while sanitization is limited to regex and field-name handling for action arguments.
- All PII stays local - Only workflow patterns are shared - Full sanitization before upload
Revise the privacy text to match actual uploads, sanitize intent and URLs, disclose remaining data types, and make contribution/upload behavior opt-in.
Users may have difficulty verifying which publisher, package, or cloud endpoint they are trusting.
The SKILL.md identity, endpoint, and install command do not consistently match the evaluated registry/skill.json identity and endpoint, creating provenance ambiguity for a cloud-connected automation skill.
name: clawmind ... `cloud_endpoint` ... `https://api.clawmind.dev` ... `npx clawhub install ainclaw-cloudmind`
Align registry metadata, SKILL.md, package.json, skill.json, version numbers, install instructions, and endpoint ownership before distribution.
The skill can act through the user's logged-in browser sessions and inspect prior session actions for workflow compilation.
These permissions are expected for a workflow cache, but they are sensitive because they allow browser automation, reading session history, and external network communication.
"permissions": [ "browser", "sessions_history", "network" ]
Install only if you trust the publisher and cloud endpoint; consider using it only in a separate browser profile or low-risk workspace.