Skill
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: claude-flow Version: 0.1.0 The skill bundle promotes high-risk execution patterns, specifically recommending the use of 'curl | bash' for installation from a remote GitHub repository (cdn.jsdelivr.net/gh/ruvnet/ruflo@main/scripts/install.sh). The SKILL.md instructions explicitly direct the AI agent to perform these installations and manage sensitive environment variables like ANTHROPIC_API_KEY. While these actions are aligned with the stated purpose of an orchestration platform, the combination of remote script execution and automated credential handling presents a significant security risk. Additionally, the _meta.json contains a future-dated publishedAt timestamp (2026), which is anomalous.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised upstream installer could execute arbitrary commands and alter Claude Code configuration under the user’s account.
The recommended path lets the AI run a mutable remote installer directly through bash, without a pinned version, hash, or reviewed install spec in the provided artifacts.
> **AI 可自动执行** ... curl -fsSL https://cdn.jsdelivr.net/gh/ruvnet/ruflo@main/scripts/install.sh | bash -s -- --full
Do not allow automatic installation; inspect the script/package first, pin to a trusted version or commit, and prefer a reviewed install spec or isolated environment.
An agent or hook could modify project files or run code in ways the user did not explicitly review, especially during broad refactor, testing, or security-scan tasks.
The skill documents agents with file read/write and code execution tools plus automatic lifecycle orchestration, but does not define per-directory limits, approval gates, or safe execution boundaries.
tools: ["read_file", "write_file", "execute_code"] ... Claude-Flow 的 Hook 系统会自动:识别任务类型、选择合适的智能体组合、协调执行并整合结果
Use it only in a disposable or version-controlled workspace, require confirmation before file writes or command execution, and restrict tools to the minimum needed for each task.
Private project details, mistaken outputs, or poisoned instructions could persist and influence future tasks.
The skill says successful patterns are automatically stored in persistent vector memory and reused later, but the artifacts do not bound what is stored, retention, exclusions, or cross-task reuse.
知识复用 — 成功模式自动存入向量记忆,未来同类任务直接复用 ... HNSW 向量搜索 + SQLite 持久化
Before use, confirm where memory is stored, how to disable it, how to delete it, and what project files or task contents are excluded from indexing.
Provider keys may expose paid LLM accounts or incur API costs if misconfigured or used by broad autonomous workflows.
Provider API keys are expected for a multi-LLM orchestration tool, but they are sensitive credentials and are not declared in the registry metadata.
npx ruflo@latest config set provider anthropic --api-key $ANTHROPIC_API_KEY ... openai --api-key $OPENAI_API_KEY ... google --api-key $GOOGLE_API_KEY
Use dedicated, limited-scope API keys where possible, avoid committing .env files, monitor usage and spending, and remove keys from configuration when no longer needed.
Task context or code details may be shared among agents and MCP tools in ways that are not obvious from a single user prompt.
The skill is explicitly built around many agents, swarm topologies, and MCP integration, but the documentation does not spell out identity, origin, or permission boundaries between agents and tools.
可在 Claude Code 会话中直接协调 100+ 专业智能体 ... 蜂群拓扑(层级/网状/环形/星形)... MCP 原生集成
Start with non-sensitive projects, review enabled MCP tools, and avoid giving swarms secrets or production credentials unless the communication boundaries are understood.