automation-workflow-builder(自动化工作流构建器,设计并执行跨平台自动化流程,支持定时触发、文件监控、多步骤操作。适用于数据同步、内容发布、报告生成。)
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a very broad automation builder that openly uses file, network, and command tools, but its scheduled/webhook workflows and publish/upload actions lack clear approval, scope, and stop safeguards.
Install only if you are prepared to tightly control each workflow. Review every trigger, command, file path, external URL, upload/publish destination, and credential before enabling it, and prefer dry-run plus manual approval for any action that changes files, posts content, sends messages, or uses third-party accounts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A workflow could change local files, call external APIs, run commands, or send messages in ways that affect the user's system or accounts.
The skill explicitly exposes broad file mutation, network requests, data processing, command execution, and messaging as workflow actions, without documenting approval gates or limits.
操作节点 - 文件操作(读/写/移动/复制) - 网络请求(GET/POST) - 数据处理(转换/格式化) - 命令执行 - 通知发送
Use only with explicit per-workflow approval. Require command/domain/path allowlists, dry-run previews, confirmation before destructive or public actions, and clear audit logs.
Automations may keep running after setup or be triggered by file changes/webhooks, potentially repeating harmful or unintended actions.
Cron, file-watch, and webhook triggers can create continuing or event-driven automation, but the artifacts do not describe lifecycle controls, expiration, disable mechanisms, or user review before each run.
触发器系统 - 定时触发(Cron) - 文件变化触发 - API webhook 触发 - 手动触发
Before enabling any trigger, define a clear schedule, owner, expiration time, stop/disable command, logs, and approval checkpoints for high-impact steps.
A bad input file, failed transform, or malicious webhook could propagate to public platforms, cloud storage, email, or messaging systems.
The templates chain automated inputs into external publishing, cloud upload, and messaging destinations, but do not include containment, staging, rollback, or human review guidance.
内容自动发布...发布到目标平台...数据同步...upload...cloud-storage...发送邮件/消息
Add validation, staging/draft modes, human approval before external publication, retry limits, and rollback or deletion procedures.
If the user supplies broad API keys or account sessions, the workflows could publish, upload, or retrieve data with those privileges.
These workflows may require delegated access to external services, although the artifacts do not show hardcoded credentials or token collection.
发布到目标平台...upload destination: "cloud-storage"...从多个 API 拉取数据
Use least-privilege, service-specific credentials; avoid sharing browser sessions or full-account tokens; and confirm each external account action before enabling automation.