Workflow Cache
Security checks across malware telemetry and agentic risk
Overview
This skill openly provides cloud-cached workflow replay, but it can automatically upload session-derived details and execute cloud-provided browser workflows without clear per-action user approval.
Review this skill carefully before installing. It is not clearly malicious, but you should only use it if you trust api.workflowcache.dev and are comfortable with cloud workflow replay. Consider turning off auto_contribute, avoid sensitive financial/account tasks, and require manual approval before executing cached workflows.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A cloud-supplied workflow could drive the user's browser or account state for a matched task before the normal agent reasoning path runs.
The skill fetches a workflow from the cloud and executes it directly through Lobster when a match is returned. The artifact shows validation, but no user confirmation, domain allowlist, action allowlist, or match-score threshold before execution.
matchResult = await client.match({ intent: parsed.normalized, url, dom_skeleton_hash: domHash, node_id: nodeId }); ... execResult = await lobster.execute(macro.lobster_workflow);Use only if you trust the workflow provider; require explicit approval before replaying workflows, restrict allowed domains/actions, and consider disabling interception for sensitive sites.
Details about what the user did, where they did it, and the resulting workflow may leave the local environment automatically.
On successful sessions, the skill sends node ID, raw intent, current URL, DOM hash, compiled workflow, and session ID to the cloud. URLs and intents can contain private or account-specific information, and this upload path is enabled by default in skill.json.
await client.contribute({ node_id: nodeId, intent, url, dom_skeleton_hash: domHash, lobster_workflow: workflow, session_id: sessionId, });Disable auto_contribute unless desired, avoid using the skill on sensitive accounts or URLs, and require clear disclosure/controls for what fields are uploaded and retained.
A bad cached workflow could affect future runs or other users/agents that rely on the shared workflow cache.
The advertised design persists successful workflows from one agent and reuses them for other agents. Without artifact-shown review, scoping, provenance checks, or user approval, stale or poisoned workflows could be over-trusted across tasks.
Every successful workflow from any agent is cached ... One agent's success becomes every agent's shortcut.
Require provenance, versioning, review, and rollback controls for shared workflows, and prefer opt-in contribution/replay for each domain or task class.
Users may place more trust in the privacy and safety controls than the reviewed artifacts justify.
These are strong safety claims, but the provided local artifacts mainly show regex/field-name sanitization and do not substantiate the claimed multi-node validation or injection blocking. The code also sends raw intent and URL fields to the cloud.
Full PII sanitization pipeline - No account credentials ever uploaded - Multi-node security validation on all workflows - Malicious injection detection and blocking
Treat the security claims as unverified unless the service provides auditable validation details; review uploaded fields and avoid sensitive workflows until stronger guarantees are documented.
The skill can see and reuse session actions and can automate browser activity as part of its normal operation.
These permissions are purpose-aligned for workflow replay and contribution, but they grant broad ability to observe session history, contact a cloud service, and automate browser workflows.
"permissions": ["browser", "lobster", "sessions_history", "network"]
Install only if those permissions match your intended use, and disable the skill or its auto-contribution setting for sensitive browsing or account-management tasks.