Flow
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: flow Version: 0.1.4 The OpenClaw AgentSkills bundle is classified as benign. The core functionality involves an 'Intelligent Skill Orchestrator' that processes natural language requests to compose and execute new skills. Crucially, the `skill_scanner_integration.py` module is designed to actively detect and block malicious patterns such as arbitrary code execution (`eval`, `exec`, `os.system`), data exfiltration, and crypto mining indicators. The `flow.py` orchestrator explicitly checks and blocks skills with critical security issues. The `SKILL.md` instructions and all code files are aligned with the stated purpose of building secure workflows and do not contain any evidence of intentional harmful behavior or prompt injection attempts against the agent. All dependencies listed in `requirements.txt` are legitimate and include several security and code analysis tools, further supporting its defensive posture.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted request or registry entry could create a workflow file that does more than the user intended when executed later.
Skill names, paths, and parsed step text are interpolated directly into a Python file. If those values contain quotes or Python syntax, the generated flow can be syntactically altered and may execute injected code when run.
f' self.components["{skill.name}"] = self._load_skill("{skill.path}")' ... f' results["step_{i}"] = self._execute_step("{step}", kwargs)' ... with open(output_path, 'w') as f:Generate code using safe templating, repr()/json serialization for all inserted strings, strict name/path validation, and require user review before running generated flows.
A workflow may include components the scanner already rated high-risk, without an explicit stop or approval step.
In the default configuration, HIGH-risk scanned skills are warned about but still added to the composed workflow unless the user has explicitly enabled strict mode.
'security_level': 'standard' ... elif scan_result.risk_level == 'HIGH': ... else: warnings.append(f"{skill.name} has elevated risk") ... scanned_skills.append(skill)Block HIGH-risk components by default, require explicit confirmation to continue, and show the exact scanner findings before composition.
Users may assume the whole skill package was checked even though important non-Python behavior may not be scanned.
The scanner used before composition only examines Python files, so other skill artifacts such as instructions, install files, or non-Python helpers can bypass this security gate.
# Only scan Python files, skip docs/markdown
if path.endswith('.py'):
files_to_scan = [path]
... if file.endswith('.py'):Scan complete skill packages, including SKILL.md, install specs, dependency files, and helper scripts, or clearly label the scanner as Python-only.
A bad or unintended generated flow can remain available and influence later workflow composition.
Newly generated flows are saved into the registry for future reuse by default, creating persistent workflow state.
'auto_update_registry': True ... if self.config['auto_update_registry']:
self.registry.register(flow_skill)Review generated flows before reuse, disable auto_update_registry when experimenting, and periodically clean the registry.
Future dependency changes could alter behavior or introduce dependency risk.
Dependencies are specified with lower bounds rather than pinned versions, so installs can resolve to newer package versions than the author tested.
streamlit>=1.28.0 pandas>=2.0.0 nltk>=3.8.0 spacy>=3.6.0 bandit>=1.7.5 safety>=2.3.0
Install in an isolated environment and prefer pinned, hash-verified dependency versions for production use.