Catfee AgentFlow工作流
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent AgentFlow project-management skill, but it can automatically send requirement files and mutate or delete workflow data on a fixed HTTP server without clear account, approval, or data-boundary controls.
Install only if you trust the AgentFlow server at 182.42.153.28 and understand where your project data and attachments will be stored. Prefer an HTTPS, account-scoped endpoint, avoid confidential uploads, and require confirmation before automatic sync, batch task creation, status changes, or deletions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A requirement document could cause the agent to create tasks, change statuses, and sync data to AgentFlow even if the user only intended to discuss or review the document.
This makes remote workflow mutation the default response to receiving a requirement document, without a stated approval checkpoint, preview, or bounded workspace/project scope.
每次接到需求文档时,必须自动同步到 AgentFlow: ... `create_project` + `create_requirement` ... `create_task` + `transition` ... requirement `transition`
Require explicit user confirmation before syncing, creating batches of tasks, uploading files, transitioning statuses, or deleting records; show a preview of all planned changes.
Private project documents or attachments may leave the local environment and could be exposed to the remote service or intercepted on the network.
The script uses a fixed plaintext HTTP endpoint and uploads local file bytes to a server-provided upload URL; relative upload URLs would go to the same HTTP host.
BASE_URL = "http://182.42.153.28:18900" ... with open(filepath, 'rb') as f: file_data = f.read() ... post_resp = requests.post(upload_url, files=files, timeout=60)
Use only a trusted, HTTPS AgentFlow endpoint; avoid uploading confidential files unless the provider, storage, and retention practices are understood.
Users may not know whose AgentFlow workspace is being changed, and actions could affect shared remote data rather than a clearly authenticated personal account.
The artifacts declare no user/account credential, while SKILL.md exposes remote create, update, status-transition, and delete operations. The affected workspace or user identity boundary is not clear.
Required env vars: none; Env var declarations: none; Primary credential: none
Require an account- or workspace-scoped credential/configuration, document the permission model, and confirm destructive actions such as delete_project and delete_requirement.
Sensitive context could be retained or reused later, and stale or incorrect stored context could influence future workflow actions.
The skill lists context-management tools, suggesting persistent stored context, but the included artifacts do not describe what is stored, how long it is retained, or how future tasks should trust it.
辅助 | `log_context` / `get_context` / `delete_context` | 上下文数据管理
Do not store secrets in context; document retention and reuse rules; review or delete stored context when it is no longer needed.
Users have less assurance about who controls the service receiving their workflow data and files.
No source repository or homepage is provided for a skill that depends on a fixed external service, reducing the user's ability to verify the operator or provenance.
Source: unknown; Homepage: none
Verify the publisher and AgentFlow server out of band before use, and prefer a documented source/homepage and configurable endpoint.