ClawHub
Back to skill
v1.0.0

deerflow-install-master

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:40 AM.

Analysis

This is a coherent DeerFlow installation guide, but it would set up a long-running super-agent with shell/file tools, external credentials, and remote dependencies, so it needs careful review before use.

GuidanceInstall this only if you intend to run DeerFlow as a local agent service. Before following the commands, pin trusted versions, review the repository and dependencies, protect API keys, confirm Docker/sandbox boundaries, restrict file and shell tools, bind services locally, and keep clear stop/remove instructions.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
tools:\n  - name: read_file\n  - name: write_file\n  - name: str_replace\n  - name: bash

The DeerFlow configuration enables file read/write, string replacement, and bash tools by default. These are powerful agent capabilities, and the artifact does not clearly define path limits, approval requirements, or rollback controls.

User impactA configured DeerFlow agent could read or change files and run shell commands within whatever sandbox or host permissions it receives.
RecommendationEnable only the tools you need, confirm the sandbox boundaries, restrict writable paths, and require explicit user approval before shell or file-mutation actions.
Rogue Agents
SeverityMediumConfidenceHighStatusNote
SKILL.md
nohup .venv/bin/langgraph dev ... --port 2024 ... > /tmp/langgraph.log 2>&1 &

The guide starts DeerFlow services in the background and later recommends nohup or systemd for service keepalive. This persistence is disclosed and purpose-aligned, but it can keep agent-facing services running after the install task ends.

User impactLocal services may continue consuming resources and exposing agent endpoints until manually stopped.
RecommendationDocument and use explicit stop/remove commands, bind services to localhost unless needed, and avoid systemd keepalive unless you intend DeerFlow to run continuously.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
git clone https://github.com/bytedance/deer-flow.git ... pip install fastapi uvicorn httpx langchain langchain-openai ...

The installer uses a live GitHub clone and unpinned Python package installs. That is normal for an installation guide, but it means the installed code and dependencies may change over time.

User impactFuture installs may pull different code or dependency versions than the guide was tested with.
RecommendationPin a known DeerFlow commit or release, use a lockfile where possible, and verify package sources before running the install commands.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
OPENROUTER_API_KEY=your-key-here\nTAVILY_API_KEY=your-key-here\nINFOQUEST_API_KEY=your-key-here

The guide asks users to place model/search provider API keys in a .env file. These credentials are expected for DeerFlow integrations, but the registry metadata declares no credential requirements.

User impactProvider keys may be used for model calls and search requests, and misuse could consume quota or expose account access.
RecommendationUse least-privilege keys, store them with restrictive file permissions, monitor usage, and revoke keys if the installation is no longer needed.
Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
sudo usermod -aG docker $USER

The troubleshooting guidance suggests adding the user to the Docker group. That can be appropriate for Docker deployments, but Docker group access is a powerful local privilege.

User impactGranting Docker access can materially expand what the user account can do on the host.
RecommendationOnly grant Docker group membership if necessary, understand the local privilege implications, and prefer a constrained container/runtime setup.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceMediumStatusNote
SKILL.md
base_url: https://openrouter.ai/api/v1 ... chat(message) → 调用 Gateway /api/chat

The setup routes chat/model activity through a local Gateway and an external model provider. This is disclosed and purpose-aligned, but the artifact does not describe authentication or data-handling boundaries for the Gateway/API flow.

User impactPrompts, task content, and search/model requests may be sent through local services and external providers.
RecommendationReview provider privacy terms, avoid sending secrets in prompts, and add authentication or local-only binding for the Gateway if it will run beyond a single-user local setup.