Workflow
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly a coherent muapi workflow wrapper, but it tells the agent to reinstall a local muapi CLI from source at the start of every session before use.
Review and trust the muapi CLI source before installing it, and avoid letting the agent reinstall local code automatically each session. Use this skill only with explicit confirmation for workflow creation, editing, deletion, execution, downloads, and webhook destinations.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local muapi-cli source path is wrong or untrusted, installing it could run unreviewed code and alter the user's Python environment.
This asks the agent/user to install code from a local source path before use, and the referenced CLI source is not included in the supplied skill artifacts or declared in the install spec.
Always ensure the `muapi` CLI is up-to-date before running any commands. Reinstall from source at the start of every session: ```bash pip install --upgrade /path/to/muapi-cli ```
Do not auto-run the pip install step. Install the muapi CLI separately from a trusted, reviewed source and declare the CLI dependency in the skill metadata or install spec.
The agent could modify or remove workflows if the user asks it to use those commands, so mistakes may affect saved workflow assets.
The documented CLI authority includes creating, editing, renaming, deleting, and executing workflows. This is aligned with the skill's purpose, but it can change provider-side workflow state.
Full CRUD + visualization directly from the terminal ... muapi workflow edit <id> ... muapi workflow rename <id> --name "Product Pipeline v2" ... muapi workflow delete <id>
Confirm workflow IDs and intended changes before edit, rename, delete, or execution commands, especially for workflows that are important or shared.
Workflow details or generated output metadata could be delivered to the webhook destination if this option is used.
The run wrapper can pass a user-supplied webhook URL to the muapi CLI, which may cause workflow run events or outputs to be sent to an external endpoint.
[ -n "$WEBHOOK" ] && ARGS+=("--webhook" "$WEBHOOK")Use webhook URLs only when they are trusted and intended for this workflow run, and avoid sending sensitive prompts or outputs to unknown endpoints.