Flow
WarnAudited by ClawScan on May 10, 2026.
Overview
Flow appears purpose-built for workflow creation, but it writes executable Python from unescaped request/registry text and its default security gates can still include risky components.
Install only in a sandbox or virtual environment, set security_level to strict, review generated Python files before running them, and disable automatic registry updates if you do not want generated workflows reused later.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted request or registry entry could create a workflow file that does more than the user intended when executed later.
Skill names, paths, and parsed step text are interpolated directly into a Python file. If those values contain quotes or Python syntax, the generated flow can be syntactically altered and may execute injected code when run.
f' self.components["{skill.name}"] = self._load_skill("{skill.path}")' ... f' results["step_{i}"] = self._execute_step("{step}", kwargs)' ... with open(output_path, 'w') as f:Generate code using safe templating, repr()/json serialization for all inserted strings, strict name/path validation, and require user review before running generated flows.
A workflow may include components the scanner already rated high-risk, without an explicit stop or approval step.
In the default configuration, HIGH-risk scanned skills are warned about but still added to the composed workflow unless the user has explicitly enabled strict mode.
'security_level': 'standard' ... elif scan_result.risk_level == 'HIGH': ... else: warnings.append(f"{skill.name} has elevated risk") ... scanned_skills.append(skill)Block HIGH-risk components by default, require explicit confirmation to continue, and show the exact scanner findings before composition.
Users may assume the whole skill package was checked even though important non-Python behavior may not be scanned.
The scanner used before composition only examines Python files, so other skill artifacts such as instructions, install files, or non-Python helpers can bypass this security gate.
# Only scan Python files, skip docs/markdown
if path.endswith('.py'):
files_to_scan = [path]
... if file.endswith('.py'):Scan complete skill packages, including SKILL.md, install specs, dependency files, and helper scripts, or clearly label the scanner as Python-only.
A bad or unintended generated flow can remain available and influence later workflow composition.
Newly generated flows are saved into the registry for future reuse by default, creating persistent workflow state.
'auto_update_registry': True ... if self.config['auto_update_registry']:
self.registry.register(flow_skill)Review generated flows before reuse, disable auto_update_registry when experimenting, and periodically clean the registry.
Future dependency changes could alter behavior or introduce dependency risk.
Dependencies are specified with lower bounds rather than pinned versions, so installs can resolve to newer package versions than the author tested.
streamlit>=1.28.0 pandas>=2.0.0 nltk>=3.8.0 spacy>=3.6.0 bandit>=1.7.5 safety>=2.3.0
Install in an isolated environment and prefer pinned, hash-verified dependency versions for production use.