Back to plugin

Security audit

ClawFlow

Security checks across malware telemetry and agentic risk

Overview

ClawFlow appears to be a legitimate workflow plugin, but it needs Review because flows can run shell commands, call agents and external APIs, persist sensitive state, and be configured for unattended full-exec operation.

Install only if you intend to let OpenClaw author and run automations. Keep the approval gate enabled unless the agent is isolated, inspect flows before running them, avoid unattended full-exec agents for untrusted inputs, do not expose the optional HTTP flow server without external access controls, and avoid putting long-lived secrets into flow state or persisted env values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description uses broad phrases like creating a workflow, automation, pipeline, or flow, which overlap with many common user intents and can cause the skill to activate in situations beyond its safest intended scope. Over-broad activation increases the chance an agent will enter a high-capability workflow-authoring context that enables execution, HTTP calls, agent delegation, and environment access without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The 'When to use this' section contains ambiguous invocation conditions such as 'user wants to chain AI calls' or 'user says create a flow,' without clear guardrails for when not to invoke the skill. In this context, ambiguity is risky because the skill exposes dangerous capabilities including shell execution, external HTTP requests, delegated agents with unrestricted exec configuration, and persistent memory operations.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access, suspicious.exposed_secret_literal

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
.ateam/worktrees/clawflow-seems-to-ignore-the-agent/src/core/runner.ts:1202
Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
.ateam/worktrees/is-this-true-one-issue/dist/core/runner.js:917
Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
.ateam/worktrees/is-this-true-one-issue/src/core/runner.ts:1238
Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
.internal/docs/first draft openclaw plugin/runner.ts:485
Evidence
const fn = new Function("input", "state", `"use strict"; return (${node.run});`);

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/core/runner.js:810
Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
src/core/runner.ts:1192
Evidence
const fn = new Function("state", `"use strict"; return !!(${resolved});`);

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
.ateam/worktrees/clawflow-seems-to-ignore-the-agent/src/core/custom-steps.ts:40
Evidence
/** Resolved env (merged from flow.env + process.env). Empty object if none. */

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
.ateam/worktrees/clawflow-seems-to-ignore-the-agent/src/core/runner.ts:174
Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
.ateam/worktrees/is-this-true-one-issue/dist/core/custom-steps.d.ts:18
Evidence
/** Resolved env (merged from flow.env + process.env). Empty object if none. */

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
.ateam/worktrees/is-this-true-one-issue/dist/core/runner.js:111
Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
.ateam/worktrees/is-this-true-one-issue/src/core/custom-steps.ts:40
Evidence
/** Resolved env (merged from flow.env + process.env). Empty object if none. */

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
.ateam/worktrees/is-this-true-one-issue/src/core/runner.ts:178
Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
.internal/docs/first draft openclaw plugin/runner.ts:277
Evidence
const apiKey = this.cfg.apiKey ?? process.env.ANTHROPIC_API_KEY;

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/core/custom-steps.d.ts:18
Evidence
/** Resolved env (merged from flow.env + process.env). Empty object if none. */

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/core/runner.js:100
Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/core/custom-steps.ts:40
Evidence
/** Resolved env (merged from flow.env + process.env). Empty object if none. */

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/core/runner.ts:174
Evidence
// Seed state.env: flow defaults → shell-expand $(…) → process.env overrides

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
.ateam/worktrees/clawflow-seems-to-ignore-the-agent/tests/core.test.ts:2299
Evidence
process.env.OPENROUTER_API_KEY = "[REDACTED]";

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
.ateam/worktrees/is-this-true-one-issue/tests/core.test.ts:2442
Evidence
process.env.OPENROUTER_API_KEY = "[REDACTED]";

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/core.test.ts:2252
Evidence
process.env.OPENROUTER_API_KEY = "[REDACTED]";