ClawHub

FlowFi

Security checks across malware telemetry and agentic risk

Overview

FlowFi is a coherent API documentation skill, but it asks agents to handle bearer tokens and perform high-impact workflow mutations without enough user-confirmation or token-safety guidance.

Review before installing. Use this only in trusted OpenClaw environments, prefer short-lived and least-privileged FlowFi tokens, revoke tokens after use, and require the agent to list and confirm exact workflow IDs before deploy, start, edit, stop, cancel, or delete actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README prominently documents destructive actions such as deploy, undeploy, stop, and delete, and even labels delete as 'safe for any status,' but it does not instruct the caller to obtain explicit user confirmation or explain the operational consequences. In an agent-skill context, that omission increases the chance that an LLM agent will perform irreversible or service-disrupting actions on behalf of a user without adequate safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to send JWT bearer tokens to OpenClaw for API and WebSocket authentication, but it provides no warning about token sensitivity, storage, scope, revocation, or exposure risks. Because bearer tokens grant access to workflows and accounts, mishandling them in an agent integration can enable account takeover, unauthorized workflow changes, or persistent misuse until revoked.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description is broadly scoped to trigger on generic backend/API topics such as workflows, execution, real-time, templates, DTOs, and auth endpoints. This can cause the skill to activate for many ordinary requests unrelated to a specific need for FlowFi, increasing the chance that an unrelated conversation is steered by this skill's instructions or API assumptions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation exposes a permanently destructive endpoint and explicitly says it is 'safe for any status' without advising confirmation, dry-run, or user verification before use. In an agent/tooling context, that omission increases the chance an LLM or automation will invoke irreversible deletion from ambiguous or misinterpreted user requests.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| **Temporarily stop running** | `POST /workflows/:id/pause` (active → paused). Resume with `POST /workflows/:id/resume`. |
| **Stop and make editable again** | `POST /workflows/:id/undeploy` (active/paused/ended → draft). |
| **End the workflow** | `POST /workflows/:id/stop` (sets status to **ended**; no more runs). Can deploy again later. |
| **Remove the workflow permanently** | `DELETE /workflows/:id`. Safe for any status (backend stops scheduler if needed). |

---
Confidence
94% confidence
Finding
DELETE /workflows/:id`.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- **Undeploy** — `POST /workflows/:id/undeploy` → back to **draft** so you can edit.
- **Pause / Resume** — `POST /workflows/:id/pause`, `POST /workflows/:id/resume` (active ↔ paused).
- **Stop** — `POST /workflows/:id/stop` → **ended** (no more runs; can deploy again later).
- **Delete** — `DELETE /workflows/:id` removes the workflow permanently (any status).
- **List workflows** — `GET /workflows` with optional `?status=draft`, `?smartAccountId=...`, pagination.
- **Price** — `GET /price?symbol=BNB` (one token USD price, no auth); `GET /price/prices` (BNB + ETH, no auth).
- **Templates** — `GET /templates` (list, no auth), `GET /templates/display`, `GET /templates/categories`, `GET /templates/:id` (full); `POST /templates/:id/clone` (JWT) creates a draft workflow.
Confidence
93% confidence
Finding
DELETE /workflows/:id`

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal