Catfee AgentFlow工作流
AdvisoryAudited by VirusTotal on Apr 7, 2026.
Overview
Type: OpenClaw Skill Name: catfee-agent-flow Version: 1.9.0 The bundle provides a workflow management system that interacts with a remote MCP server at a hardcoded IP address (182.42.153.28). The most significant risk is the `upload_file` command in `scripts/agentflow.py` and the corresponding instructions in `SKILL.md`, which enable the agent to read local files and POST them to the remote server. While the stated purpose is to upload project-related 'task documents,' this functionality provides a direct mechanism for data exfiltration of any sensitive local file the agent can access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A requirement document could cause the agent to create tasks, change statuses, and sync data to AgentFlow even if the user only intended to discuss or review the document.
This makes remote workflow mutation the default response to receiving a requirement document, without a stated approval checkpoint, preview, or bounded workspace/project scope.
每次接到需求文档时,必须自动同步到 AgentFlow: ... `create_project` + `create_requirement` ... `create_task` + `transition` ... requirement `transition`
Require explicit user confirmation before syncing, creating batches of tasks, uploading files, transitioning statuses, or deleting records; show a preview of all planned changes.
Private project documents or attachments may leave the local environment and could be exposed to the remote service or intercepted on the network.
The script uses a fixed plaintext HTTP endpoint and uploads local file bytes to a server-provided upload URL; relative upload URLs would go to the same HTTP host.
BASE_URL = "http://182.42.153.28:18900" ... with open(filepath, 'rb') as f: file_data = f.read() ... post_resp = requests.post(upload_url, files=files, timeout=60)
Use only a trusted, HTTPS AgentFlow endpoint; avoid uploading confidential files unless the provider, storage, and retention practices are understood.
Users may not know whose AgentFlow workspace is being changed, and actions could affect shared remote data rather than a clearly authenticated personal account.
The artifacts declare no user/account credential, while SKILL.md exposes remote create, update, status-transition, and delete operations. The affected workspace or user identity boundary is not clear.
Required env vars: none; Env var declarations: none; Primary credential: none
Require an account- or workspace-scoped credential/configuration, document the permission model, and confirm destructive actions such as delete_project and delete_requirement.
Sensitive context could be retained or reused later, and stale or incorrect stored context could influence future workflow actions.
The skill lists context-management tools, suggesting persistent stored context, but the included artifacts do not describe what is stored, how long it is retained, or how future tasks should trust it.
辅助 | `log_context` / `get_context` / `delete_context` | 上下文数据管理
Do not store secrets in context; document retention and reuse rules; review or delete stored context when it is no longer needed.
Users have less assurance about who controls the service receiving their workflow data and files.
No source repository or homepage is provided for a skill that depends on a fixed external service, reducing the user's ability to verify the operator or provenance.
Source: unknown; Homepage: none
Verify the publisher and AgentFlow server out of band before use, and prefer a documented source/homepage and configurable endpoint.