ClawHub
Back to skill

Security audit

Dify Workflow DSL Expert

Security checks across malware telemetry and agentic risk

Overview

This is a Dify workflow-editing skill with visible example templates that may call APIs or LLM providers only if a user adapts and runs them in Dify.

Install this only if you want help editing Dify workflow YAML. Before using any template in a real Dify instance, inspect every HTTP and LLM node, replace example endpoints and providers deliberately, keep secrets in Dify environment variables, avoid sending sensitive or regulated data to external providers without approval, and keep an exported backup before re-importing workflow changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This template goes beyond the stated skill purpose of editing and validating Dify workflow DSL by embedding an operational workflow that fetches external data and sends it for LLM processing. That mismatch increases the risk of unintended data exfiltration, misuse of secrets, and users invoking networked behavior they would not reasonably expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The workflow defines a secret API key and uses it for outbound network access even though the declared skill purpose is DSL editing/validation, not live integrations. Unnecessary secret-backed connectivity expands the attack surface and can lead to credential misuse or unauthorized external calls in contexts where users do not expect any runtime execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
On the fail branch, the workflow sends both the parser error details and the full original user input to an external Anthropic model. If users provide sensitive JSON or embedded secrets, those contents are disclosed to a third-party service without any apparent minimization, consent, or manifest-level warning, creating a real confidentiality risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The HTTP request transmits user-supplied input and a bearer token to an external service without any disclosure, confirmation step, or data-handling notice. In a skill framed as workflow editing/validation, this creates a hidden external transmission path that can leak user data and sensitive credentials usage to third-party systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow forwards externally fetched content into an LLM without warning about privacy, retention, or downstream processing. This is dangerous because the fetched data may contain sensitive or regulated content, and users of a DSL-editing skill may not expect their data to be sent to a model provider.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow directly inserts user-provided `content` into prompts for three LLM nodes configured to use an external provider (`langgenius/openai/openai`), but the skill metadata and template provide no disclosure, consent, or data-handling warning. This creates a real data-exposure risk because operators may use the template for sensitive internal text under the assumption it remains local in a self-hosted Dify deployment, when in fact the content is transmitted to a third-party model endpoint.

Ssd 3

Medium
Confidence
97% confidence
Finding
The prompt explicitly includes the entire original input in the error-recovery request, which maximizes the chance that sensitive user-provided content is echoed, retained, or processed unnecessarily by the model. In this workflow context, the LLM is used for repair of malformed data, so sending the whole payload is broader than necessary and increases data leakage risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal